Skip copying CIDs to SSL transforms until CID feature is complete

This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.

While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
  decryption.

Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.
This commit is contained in:
Hanno Becker 2019-04-30 13:52:29 +01:00
parent 92c930f7c4
commit d91dc3767f
2 changed files with 68 additions and 55 deletions

View file

@ -724,11 +724,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
transform->in_cid_len = ssl->own_cid_len;
transform->out_cid_len = ssl->handshake->peer_cid_len;
memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
memcpy( transform->out_cid, ssl->handshake->peer_cid,
ssl->handshake->peer_cid_len );
/* Uncomment this once CID-parsing and support for a change
* record content type during record decryption are added. */
/* transform->in_cid_len = ssl->own_cid_len; */
/* transform->out_cid_len = ssl->handshake->peer_cid_len; */
/* memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len ); */
/* memcpy( transform->out_cid, ssl->handshake->peer_cid, */
/* ssl->handshake->peer_cid_len ); */
MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
transform->out_cid_len );

View file

@ -1163,11 +1163,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 2 Bytes): de ad" \
# -s "Peer CID (length 2 Bytes): be ef"
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
@ -1183,11 +1184,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 4 Bytes): de ad be ef" \
# -s "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
@ -1203,11 +1205,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -s "Peer CID (length 4 Bytes): de ad be ef" \
# -c "Peer CID (length 0 Bytes):"
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \
@ -1241,11 +1244,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 2 Bytes): de ad" \
# -s "Peer CID (length 2 Bytes): be ef" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \
@ -1261,11 +1265,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 4 Bytes): de ad be ef" \
# -s "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \
@ -1281,11 +1286,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -s "Peer CID (length 4 Bytes): de ad be ef" \
# -c "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \
@ -1319,11 +1325,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 2 Bytes): de ad" \
# -s "Peer CID (length 2 Bytes): be ef" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \
@ -1339,11 +1346,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 4 Bytes): de ad be ef" \
# -s "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \
@ -1359,11 +1367,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -s "Peer CID (length 4 Bytes): de ad be ef" \
# -c "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \
@ -1398,11 +1407,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 2 Bytes): de ad" \
# -s "Peer CID (length 2 Bytes): be ef"
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
# Tests for Encrypt-then-MAC extension