From d91dc3767fc793db4d2db7fb89329eea24363ddb Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 30 Apr 2019 13:52:29 +0100 Subject: [PATCH] Skip copying CIDs to SSL transforms until CID feature is complete This commit temporarily comments the copying of the negotiated CIDs into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys() until the CID feature has been fully implemented. While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do support CID-based record protection by now and can be unit tested, the following two changes in the rest of the stack are still missing before CID-based record protection can be integrated: - Parsing of CIDs in incoming records. - Allowing the new CID record content type for incoming records. - Dealing with a change of record content type during record decryption. Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by the CID fields in the currently transforms, this change also requires temporarily disabling some grepping for ssl_client2 / ssl_server2 debug output in ssl-opt.sh. --- library/ssl_tls.c | 13 +++--- tests/ssl-opt.sh | 110 +++++++++++++++++++++++++--------------------- 2 files changed, 68 insertions(+), 55 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6ffa19bf5..8a09a82cb 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -724,11 +724,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) ); - transform->in_cid_len = ssl->own_cid_len; - transform->out_cid_len = ssl->handshake->peer_cid_len; - memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len ); - memcpy( transform->out_cid, ssl->handshake->peer_cid, - ssl->handshake->peer_cid_len ); + + /* Uncomment this once CID-parsing and support for a change + * record content type during record decryption are added. */ + /* transform->in_cid_len = ssl->own_cid_len; */ + /* transform->out_cid_len = ssl->handshake->peer_cid_len; */ + /* memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len ); */ + /* memcpy( transform->out_cid, ssl->handshake->peer_cid, */ + /* ssl->handshake->peer_cid_len ); */ MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid, transform->out_cid_len ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 60879b566..6b6c4aebb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1163,11 +1163,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -c "Peer CID (length 2 Bytes): de ad" \ - -s "Peer CID (length 2 Bytes): be ef" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -c "Peer CID (length 2 Bytes): de ad" \ +# -s "Peer CID (length 2 Bytes): be ef" +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \ @@ -1183,11 +1184,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \ -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -c "Peer CID (length 4 Bytes): de ad be ef" \ - -s "Peer CID (length 0 Bytes):" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -c "Peer CID (length 4 Bytes): de ad be ef" \ +# -s "Peer CID (length 0 Bytes):" \ +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \ @@ -1203,11 +1205,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \ -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -s "Peer CID (length 4 Bytes): de ad be ef" \ - -c "Peer CID (length 0 Bytes):" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -s "Peer CID (length 4 Bytes): de ad be ef" \ +# -c "Peer CID (length 0 Bytes):" +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \ @@ -1241,11 +1244,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -c "Peer CID (length 2 Bytes): de ad" \ - -s "Peer CID (length 2 Bytes): be ef" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -c "Peer CID (length 2 Bytes): de ad" \ +# -s "Peer CID (length 2 Bytes): be ef" \ +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \ @@ -1261,11 +1265,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES- -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -c "Peer CID (length 4 Bytes): de ad be ef" \ - -s "Peer CID (length 0 Bytes):" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -c "Peer CID (length 4 Bytes): de ad be ef" \ +# -s "Peer CID (length 0 Bytes):" \ +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \ @@ -1281,11 +1286,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES- -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -s "Peer CID (length 4 Bytes): de ad be ef" \ - -c "Peer CID (length 0 Bytes):" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -s "Peer CID (length 4 Bytes): de ad be ef" \ +# -c "Peer CID (length 0 Bytes):" \ +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \ @@ -1319,11 +1325,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -c "Peer CID (length 2 Bytes): de ad" \ - -s "Peer CID (length 2 Bytes): be ef" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -c "Peer CID (length 2 Bytes): de ad" \ +# -s "Peer CID (length 2 Bytes): be ef" \ +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \ @@ -1339,11 +1346,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES- -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -c "Peer CID (length 4 Bytes): de ad be ef" \ - -s "Peer CID (length 0 Bytes):" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -c "Peer CID (length 4 Bytes): de ad be ef" \ +# -s "Peer CID (length 0 Bytes):" \ +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \ @@ -1359,11 +1367,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES- -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -s "Peer CID (length 4 Bytes): de ad be ef" \ - -c "Peer CID (length 0 Bytes):" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -s "Peer CID (length 4 Bytes): de ad be ef" \ +# -c "Peer CID (length 0 Bytes):" \ +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ requires_config_enabled MBEDTLS_SSL_CID run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \ @@ -1398,11 +1407,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \ -c "found CID extension" \ -c "Use of CID extension negotiated" \ -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" \ - -c "Peer CID (length 2 Bytes): de ad" \ - -s "Peer CID (length 2 Bytes): be ef" + -c "Copy CIDs into SSL transform" +# Uncomment once CID is fully implemented +# -c "Peer CID (length 2 Bytes): de ad" \ +# -s "Peer CID (length 2 Bytes): be ef" +# -s "Use of Connection ID has been negotiated" \ +# -c "Use of Connection ID has been negotiated" \ # Tests for Encrypt-then-MAC extension