yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-02-03 05:01:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/pr/559' into baremetal

Browse source
This commit is contained in:
Simon Butcher 2019-05-24 15:05:07 +01:00
parent 724a695534 8013b27481
commit ba13ff514f
11 changed files with 632 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
configs/baremetal.h
View file

@ -80,6 +80,7 @@
#define MBEDTLS_SSL_DTLS_ANTI_REPLAY #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
#define MBEDTLS_SSL_CID
/* X.509 CRT parsing */ /* X.509 CRT parsing */
#define MBEDTLS_X509_USE_C #define MBEDTLS_X509_USE_C

12
include/mbedtls/check_config.h
View file

@ -600,6 +600,18 @@
#error "MBEDTLS_SSL_CID defined, but not all prerequisites" #error "MBEDTLS_SSL_CID defined, but not all prerequisites"
#endif #endif
#if defined(MBEDTLS_SSL_CID) && \
defined(MBEDTLS_SSL_CID_IN_LEN_MAX) && \
MBEDTLS_SSL_CID_IN_LEN_MAX > 255
#error "MBEDTLS_SSL_CID_IN_LEN_MAX too large (max 255)"
#endif
#if defined(MBEDTLS_SSL_CID) && \
defined(MBEDTLS_SSL_CID_OUT_LEN_MAX) && \
MBEDTLS_SSL_CID_OUT_LEN_MAX > 255
#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \ #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) ) ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites" #error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites"

28
include/mbedtls/ssl.h
View file

@ -382,6 +382,10 @@
#define MBEDTLS_TLS_EXT_SESSION_TICKET 35 #define MBEDTLS_TLS_EXT_SESSION_TICKET 35
/* The value of the CID extension is still TBD as of
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04. */
#define MBEDTLS_TLS_EXT_CID 254 /* TBD */
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */ #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */
#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO 0xFF01 #define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO 0xFF01
@ -1190,6 +1194,21 @@ struct mbedtls_ssl_context
char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */ char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */
char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */ char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */
#endif /* MBEDTLS_SSL_RENEGOTIATION */ #endif /* MBEDTLS_SSL_RENEGOTIATION */
#if defined(MBEDTLS_SSL_CID)
/* CID configuration to use in subsequent handshakes. */
/*! The next incoming CID, chosen by the user and applying to
* all subsequent handshakes. This may be different from the
* CID currently used in case the user has re-configured the CID
* after an initial handshake. */
unsigned char own_cid[ MBEDTLS_SSL_CID_IN_LEN_MAX ];
uint8_t own_cid_len; /*!< The length of \c own_cid. */
uint8_t negotiate_cid; /*!< This indicates whether the CID extension should
* be negotiated in the next handshake or not.
* Possible values are #MBEDTLS_SSL_CID_ENABLED
* and #MBEDTLS_SSL_CID_DISABLED. */
#endif /* MBEDTLS_SSL_CID */
}; };
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
@ -1529,6 +1548,13 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
* progress, this function will attempt to complete * progress, this function will attempt to complete
* the handshake first. * the handshake first.
* *
* \note If CID extensions have been exchanged but both client
* and server chose to use an empty CID, this function
* sets `*enabled` to #MBEDTLS_SSL_CID_DISABLED
* (the rationale for this is that the resulting
* communication is the same as if the CID extensions
* hadn't been used).
*
* \return \c 0 on success. * \return \c 0 on success.
* \return A negative error code on failure. * \return A negative error code on failure.
*/ */
@ -2841,7 +2867,7 @@ void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_
* (Default: 2^48 - 1) * (Default: 2^48 - 1)
* *
* Renegotiation is automatically triggered when a record * Renegotiation is automatically triggered when a record
* counter (outgoing or ingoing) crosses the defined * counter (outgoing or incoming) crosses the defined
* threshold. The default value is meant to prevent the * threshold. The default value is meant to prevent the
* connection from being closed when the counter is about to * connection from being closed when the counter is about to
* reached its maximal value (it is not allowed to wrap). * reached its maximal value (it is not allowed to wrap).

19
include/mbedtls/ssl_internal.h
View file

@ -343,6 +343,18 @@ struct mbedtls_ssl_handshake_params
unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
for resending messages */ for resending messages */
#if defined(MBEDTLS_SSL_CID)
/* The state of CID configuration in this handshake. */
uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
* has been negotited. Possible values are
* #MBEDTLS_SSL_CID_ENABLED and
* #MBEDTLS_SSL_CID_DISABLED. */
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
uint8_t peer_cid_len; /*!< The length of
* \c peer_cid. */
#endif /* MBEDTLS_SSL_CID */
struct struct
{ {
size_t total_bytes_buffered; /*!< Cumulative size of heap allocated size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
@ -562,6 +574,13 @@ struct mbedtls_ssl_transform
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
int minor_ver; int minor_ver;
#if defined(MBEDTLS_SSL_CID)
uint8_t in_cid_len;
uint8_t out_cid_len;
unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
#endif /* MBEDTLS_SSL_CID */
/* /*
* Session specific compression layer * Session specific compression layer
*/ */

123
library/ssl_cli.c
View file

@ -433,6 +433,54 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_CID)
static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
size_t *olen )
{
unsigned char *p = buf;
size_t ext_len;
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
/*
* Quoting
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04:
*
* struct {
* opaque cid<0..2^8-1>;
* } ConnectionId;
*/
*olen = 0;
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
{
return;
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
/* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
* which is at most 255, so the increment cannot overflow. */
if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
return;
}
/* Add extension ID + size */
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
ext_len = (size_t) ssl->own_cid_len + 1;
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
*p++ = (uint8_t) ssl->own_cid_len;
memcpy( p, ssl->own_cid, ssl->own_cid_len );
*olen = ssl->own_cid_len + 5;
}
#endif /* MBEDTLS_SSL_CID */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
@ -1034,6 +1082,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
ext_len += olen; ext_len += olen;
#endif #endif
#if defined(MBEDTLS_SSL_CID)
ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif /* MBEDTLS_SSL_CID */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen; ext_len += olen;
@ -1191,6 +1244,62 @@ static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_CID)
static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
size_t peer_cid_len;
if( /* CID extension only makes sense in DTLS */
ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
/* The server must only send the CID extension if we have offered it. */
ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
if( len == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
peer_cid_len = *buf++;
len--;
if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
if( len != peer_cid_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
return( 0 );
}
#endif /* MBEDTLS_SSL_CID */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
@ -1842,6 +1951,20 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
break; break;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_CID)
case MBEDTLS_TLS_EXT_CID:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
if( ( ret = ssl_parse_cid_ext( ssl,
ext + 4,
ext_size ) ) != 0 )
{
return( ret );
}
break;
#endif /* MBEDTLS_SSL_CID */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );

135
library/ssl_srv.c
View file

@ -433,6 +433,78 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_CID)
static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
size_t peer_cid_len;
/* CID extension only makes sense in DTLS */
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
/*
* Quoting
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04:
*
* struct {
* opaque cid<0..2^8-1>;
* } ConnectionId;
*/
if( len < 1 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
peer_cid_len = *buf++;
len--;
if( len != peer_cid_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
/* Ignore CID if the user has disabled its use. */
if( ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
{
/* Leave ssl->handshake->cid_in_use in its default
* value of MBEDTLS_SSL_CID_DISABLED. */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Client sent CID extension, but CID disabled" ) );
return( 0 );
}
if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "Client CID", buf, peer_cid_len );
return( 0 );
}
#endif /* MBEDTLS_SSL_CID */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
@ -1783,6 +1855,16 @@ read_record_header:
break; break;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_CID)
case MBEDTLS_TLS_EXT_CID:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size );
if( ret != 0 )
return( ret );
break;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
@ -2060,6 +2142,54 @@ static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_CID)
static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
size_t *olen )
{
unsigned char *p = buf;
size_t ext_len;
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
/* Skip writing the extension if we don't want to use it or if
* the client hasn't offered it. */
if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED )
return;
/* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
* which is at most 255, so the increment cannot overflow. */
if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
return;
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) );
/*
* Quoting
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04:
*
* struct {
* opaque cid<0..2^8-1>;
* } ConnectionId;
*/
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
ext_len = (size_t) ssl->own_cid_len + 1;
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
*p++ = (uint8_t) ssl->own_cid_len;
memcpy( p, ssl->own_cid, ssl->own_cid_len );
*olen = ssl->own_cid_len + 5;
}
#endif /* MBEDTLS_SSL_CID */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
@ -2581,6 +2711,11 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
ext_len += olen; ext_len += olen;
#endif #endif
#if defined(MBEDTLS_SSL_CID)
ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen; ext_len += olen;

79
library/ssl_tls.c
View file

@ -112,34 +112,66 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
/* Top-level Connection ID API */ /* Top-level Connection ID API */
/* WARNING: This implementation is a stub and doesn't do anything! /* WARNING: The CID feature isn't fully implemented yet
* It is included solely to allow review and coding against * and will not be used. */
* the new Connection CID API. */
int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl, int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
int enable, int enable,
unsigned char const *own_cid, unsigned char const *own_cid,
size_t own_cid_len ) size_t own_cid_len )
{ {
((void) ssl); ssl->negotiate_cid = enable;
((void) enable); if( enable == MBEDTLS_SSL_CID_DISABLED )
((void) own_cid); {
((void) own_cid_len); MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
return( 0 );
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
if( own_cid_len > MBEDTLS_SSL_CID_IN_LEN_MAX )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID too large: Maximum %u, actual %u",
(unsigned) MBEDTLS_SSL_CID_IN_LEN_MAX,
(unsigned) own_cid_len ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
memcpy( ssl->own_cid, own_cid, own_cid_len );
/* Truncation is not an issue here because
* MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
ssl->own_cid_len = (uint8_t) own_cid_len;
MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
return( 0 ); return( 0 );
} }
/* WARNING: This implementation is a stub and doesn't do anything! /* WARNING: The CID feature isn't fully implemented yet
* It is included solely to allow review and coding against * and will not be used. */
* the new Connection CID API. */
int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl, int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
int *enabled, int *enabled,
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ], unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
size_t *peer_cid_len ) size_t *peer_cid_len )
{ {
((void) ssl);
((void) peer_cid);
((void) peer_cid_len);
*enabled = MBEDTLS_SSL_CID_DISABLED; *enabled = MBEDTLS_SSL_CID_DISABLED;
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
/* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
* were used, but client and server requested the empty CID.
* This is indistinguishable from not using the CID extension
* in the first place. */
if( ssl->transform_in->in_cid_len == 0 &&
ssl->transform_in->out_cid_len == 0 )
{
return( 0 );
}
*peer_cid_len = ssl->transform_in->out_cid_len;
memcpy( peer_cid, ssl->transform_in->out_cid,
ssl->transform_in->out_cid_len );
*enabled = MBEDTLS_SSL_CID_ENABLED;
return( 0 ); return( 0 );
} }
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -686,6 +718,25 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
} }
#if defined(MBEDTLS_SSL_CID)
/* Copy own and peer's CID if the use of the CID
* extension has been negotiated. */
if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
transform->in_cid_len = ssl->own_cid_len;
transform->out_cid_len = ssl->handshake->peer_cid_len;
memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
memcpy( transform->out_cid, ssl->handshake->peer_cid,
ssl->handshake->peer_cid_len );
MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
transform->out_cid_len );
MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
transform->in_cid_len );
}
#endif /* MBEDTLS_SSL_CID */
/* /*
* Set appropriate PRF function and other SSL / TLS / TLS1.2 functions * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
*/ */

2
programs/ssl/ssl_client2.c
View file

@ -1787,7 +1787,7 @@ int main( int argc, char *argv[] )
(unsigned) peer_cid_len ); (unsigned) peer_cid_len );
while( idx < peer_cid_len ) while( idx < peer_cid_len )
{ {
mbedtls_printf( "%#02x ", peer_cid[ idx ] ); mbedtls_printf( "%02x ", peer_cid[ idx ] );
idx++; idx++;
} }
mbedtls_printf( "\n" ); mbedtls_printf( "\n" );

9
programs/ssl/ssl_server2.c
View file

@ -759,7 +759,8 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl,
#endif /* SNI_OPTION */ #endif /* SNI_OPTION */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) || \
defined(MBEDTLS_SSL_CID)
#define HEX2NUM( c ) \ #define HEX2NUM( c ) \
if( c >= '0' && c <= '9' ) \ if( c >= '0' && c <= '9' ) \
@ -799,6 +800,10 @@ int unhexify( unsigned char *output, const char *input, size_t *olen )
return( 0 ); return( 0 );
} }
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
typedef struct _psk_entry psk_entry; typedef struct _psk_entry psk_entry;
struct _psk_entry struct _psk_entry
@ -2882,7 +2887,7 @@ handshake:
(unsigned) peer_cid_len ); (unsigned) peer_cid_len );
while( idx < peer_cid_len ) while( idx < peer_cid_len )
{ {
mbedtls_printf( "%#02x ", peer_cid[ idx ] ); mbedtls_printf( "%02x ", peer_cid[ idx ] );
idx++; idx++;
} }
mbedtls_printf( "\n" ); mbedtls_printf( "\n" );

4
scripts/baremetal.sh
View file

@ -177,9 +177,9 @@ baremetal_ram_build() {
baremetal_ram_heap() { baremetal_ram_heap() {
: ${CLI:=./programs/ssl/ssl_client2} : ${CLI:=./programs/ssl/ssl_client2}
: ${CLI_PARAMS:="dtls=1"} : ${CLI_PARAMS:="dtls=1 cid=1 cid_val=beef"}
: ${SRV:=./programs/ssl/ssl_server2} : ${SRV:=./programs/ssl/ssl_server2}
: ${SRV_PARAMS:="dtls=1 renegotiation=1 auth_mode=required"} : ${SRV_PARAMS:="dtls=1 renegotiation=1 auth_mode=required cid=1 cid_val=dead"}
: ${VALGRIND:=valgrind} : ${VALGRIND:=valgrind}
: ${VALGRIND_MASSIF_PARAMS="--time-unit=B --threshold=0.01 --detailed-freq=1"} : ${VALGRIND_MASSIF_PARAMS="--time-unit=B --threshold=0.01 --detailed-freq=1"}

285
tests/ssl-opt.sh
View file

@ -1120,94 +1120,289 @@ run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client enabled, server disabled" \ run_test "(STUB) Connection ID: Client enabled, server disabled" \
"$P_SRV dtls=1 cid=0" \ "$P_SRV debug_level=3 dtls=1 cid=0" \
"$P_CLI dtls=1 cid=1 cid_val=deadbeef" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
0 0 \
-s "Disable use of CID extension." \
-s "found CID extension" \
-s "Client sent CID extension, but CID disabled" \
-c "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-S "server hello, adding CID extension" \
-C "found CID extension" \
-S "Copy CIDs into SSL transform" \
-C "Copy CIDs into SSL transform" \
-c "Use of Connection ID was rejected by the server"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client disabled, server enabled" \ run_test "(STUB) Connection ID: Client disabled, server enabled" \
"$P_SRV dtls=1 cid=1 cid_val=deadbeef" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
"$P_CLI dtls=1 cid=0" \ "$P_CLI debug_level=3 dtls=1 cid=0" \
0 0 \
-c "Disable use of CID extension." \
-C "client hello, adding CID extension" \
-S "found CID extension" \
-s "Enable use of CID extension." \
-S "server hello, adding CID extension" \
-C "found CID extension" \
-S "Copy CIDs into SSL transform" \
-C "Copy CIDs into SSL transform" \
-s "Use of Connection ID was not offered by the client"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty" \ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty" \
"$P_SRV dtls=1 cid=1 cid_val=dead" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
"$P_CLI dtls=1 cid=1 cid_val=beef" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
"$P_SRV dtls=1 cid=1 cid_val=deadbeef" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
"$P_CLI dtls=1 cid=1" \ "$P_CLI debug_level=3 dtls=1 cid=1" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
"$P_SRV dtls=1 cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1" \
"$P_CLI dtls=1 cid=1 cid_val=deadbeef" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \
"$P_SRV dtls=1 cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1" \
"$P_CLI dtls=1 cid=1" \ "$P_CLI debug_level=3 dtls=1 cid=1" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-S "Use of Connection ID has been negotiated" \
-C "Use of Connection ID has been negotiated"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty, AES-128-CCM-8" \ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty, AES-128-CCM-8" \
"$P_SRV dtls=1 cid=1 cid_val=dead" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
"$P_CLI dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \
"$P_SRV dtls=1 cid=1 cid_val=deadbeef" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
"$P_CLI dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \
"$P_SRV dtls=1 cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1" \
"$P_CLI dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \
"$P_SRV dtls=1 cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1" \
"$P_CLI dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-S "Use of Connection ID has been negotiated" \
-C "Use of Connection ID has been negotiated"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty, AES-128-CBC" \ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty, AES-128-CBC" \
"$P_SRV dtls=1 cid=1 cid_val=dead" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
"$P_CLI dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \
"$P_SRV dtls=1 cid=1 cid_val=deadbeef" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
"$P_CLI dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \
"$P_SRV dtls=1 cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1" \
"$P_CLI dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \
"$P_SRV dtls=1 cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1" \
"$P_CLI dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-S "Use of Connection ID has been negotiated" \
-C "Use of Connection ID has been negotiated"
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \ run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \
"$P_SRV dtls=1 cid=1 cid_val=dead renegotiation=1" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
"$P_CLI dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
0 0 \
-c "Enable use of CID extension." \
-s "Enable use of CID extension." \
-c "client hello, adding CID extension" \
-s "found CID extension" \
-s "Use of CID extension negotiated" \
-s "server hello, adding CID extension" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
# Tests for Encrypt-then-MAC extension # Tests for Encrypt-then-MAC extension