Allow configuration of ConnectionID at compile-time

Introduces
- MBEDTLS_SSL_CONF_CID_LEN and
- MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID
to control
- the length of incoming CIDs
- the behaviour in receipt of unexpected CIDs
at compile-time.

Impact on code-size:

|  | GCC 82.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23223 | 23865 | 26775 |
| `libmbedtls.a` after  | 23147 | 23781 | 26703 |
| gain in Bytes | 76 | 84 | 72 |

configs/baremetal.h

@@ -80,6 +80,8 @@
 #define MBEDTLS_SSL_DTLS_CONNECTION_ID
 
 /* Compile-time fixed parts of the SSL configuration */
+#define MBEDTLS_SSL_CONF_CID_LEN 0
+#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
 #define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION \
     MBEDTLS_SSL_SECURE_RENEGOTIATION
 #define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED

include/mbedtls/check_config.h

@@ -631,6 +631,13 @@
 #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
 #endif
 
+#if (  defined(MBEDTLS_SSL_CONF_CID_LEN) &&                     \
+      !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) ) ||     \
+    ( !defined(MBEDTLS_SSL_CONF_CID_LEN) &&                     \
+       defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) )
+#error "MBEDTLS_SSL_CONF_CID_LEN and MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID must be defined simultaneously"
+#endif
+
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
     ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
 #error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"

include/mbedtls/config.h

@@ -3457,6 +3457,8 @@
 /* DTLS-specific settings */
 //#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
 //#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
+//#define MBEDTLS_SSL_CONF_CID_LEN 0
+//#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
 
 /* ExtendedMasterSecret extension
  * The following two options must be set/unset simultaneously. */

include/mbedtls/ssl.h

@@ -957,7 +957,9 @@ struct mbedtls_ssl_config
 #endif
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
     size_t cid_len; /*!< The length of CIDs for incoming DTLS records.      */
+#endif /* !MBEDTLS_SSL_CONF_CID_LEN */
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -1100,9 +1102,11 @@ struct mbedtls_ssl_config
                                           Certificate Request messages?     */
 #endif
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
     unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
                                              *   record with unexpected CID
                                              *   should lead to failure.    */
+#endif /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 };
 
@@ -2312,9 +2316,11 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
                                    const int *ciphersuites );
 
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
 #define MBEDTLS_SSL_UNEXPECTED_CID_FAIL   1
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+    !defined(MBEDTLS_SSL_CONF_CID_LEN) &&      \
+    !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
 /**
  * \brief               Specify the length of Connection IDs for incoming
  *                      encrypted DTLS records, as well as the behaviour
@@ -2343,13 +2349,19 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
  *                      same SSL configuration; this allows simpler parsing of
  *                      record headers.
  *
+ * \note                On constrained systems, this configuration can also be
+ *                      fixed at compile-time via MBEDTLS_SSL_CONF_CID_LEN and
+ *                      MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID.
+ *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
  *                      is too large.
  */
 int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
                           int ignore_other_cids );
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+          !MBEDTLS_SSL_CONF_CID_LEN &&
+          !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
 
 /**
  * \brief               Set the list of allowed ciphersuites and the

include/mbedtls/ssl_internal.h

@@ -1085,6 +1085,38 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
  * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
  */
 
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
+static inline size_t mbedtls_ssl_conf_get_cid_len(
+    mbedtls_ssl_config  const *conf )
+{
+    return( conf->cid_len );
+}
+#else /* !MBEDTLS_SSL_CONF_CID_LEN */
+static inline size_t mbedtls_ssl_conf_get_cid_len(
+    mbedtls_ssl_config  const *conf )
+{
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_CID_LEN );
+}
+#endif /* MBEDTLS_SSL_CONF_CID_LEN */
+
+#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
+static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
+    mbedtls_ssl_config  const *conf )
+{
+    return( conf->ignore_unexpected_cid );
+}
+#else /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
+    mbedtls_ssl_config  const *conf )
+{
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
+}
+#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
 #if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
 static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
     mbedtls_ssl_config  const *conf )

library/ssl_tls.c

@@ -117,6 +117,9 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 /* Top-level Connection ID API */
 
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+    !defined(MBEDTLS_SSL_CONF_CID_LEN) &&      \
+    !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
 int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
                           size_t len,
                           int ignore_other_cid )
@@ -134,6 +137,21 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
     conf->cid_len = len;
     return( 0 );
 }
+#else  /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+          !MBEDTLS_SSL_CONF_CID_LEN &&
+          !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+
+#if MBEDTLS_SSL_CONF_CID_LEN > MBEDTLS_SSL_CID_IN_LEN_MAX
+#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_CID_LEN"
+#endif
+#if MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE && \
+    MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_FAIL
+#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID"
+#endif
+
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+          !MBEDTLS_SSL_CONF_CID_LEN &&
+          !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
 
 int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
                          int enable,
@@ -152,11 +170,11 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
     MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
 
-    if( own_cid_len != ssl->conf->cid_len )
+    if( own_cid_len != mbedtls_ssl_conf_get_cid_len( ssl->conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
                                     (unsigned) own_cid_len,
-                                    (unsigned) ssl->conf->cid_len ) );
+                                    (unsigned) mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) );
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
 
@@ -4617,7 +4635,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
     if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
         ssl->in_msgtype      == MBEDTLS_SSL_MSG_CID            &&
-        ssl->conf->cid_len   != 0 )
+        mbedtls_ssl_conf_get_cid_len( ssl->conf ) != 0 )
     {
         /* Shift pointers to account for record header including CID
          * struct {
@@ -4634,7 +4652,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
 
         /* So far, we only support static CID lengths
          * fixed in the configuration. */
-        ssl->in_len = ssl->in_cid + ssl->conf->cid_len;
+        ssl->in_len = ssl->in_cid + mbedtls_ssl_conf_get_cid_len( ssl->conf );
         ssl->in_iv  = ssl->in_msg = ssl->in_len + 2;
     }
     else
@@ -4863,7 +4881,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
             if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
-                ssl->conf->ignore_unexpected_cid
+                mbedtls_ssl_conf_get_ignore_unexpected_cid( ssl->conf )
                   == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );

programs/ssl/query_config.c

@@ -2610,6 +2610,22 @@ int query_config( const char *config )
     }
 #endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */
 
+#if defined(MBEDTLS_SSL_CONF_CID_LEN)
+    if( strcmp( "MBEDTLS_SSL_CONF_CID_LEN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CID_LEN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CONF_CID_LEN */
+
+#if defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
+    if( strcmp( "MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+
 #if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
     if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
     {

programs/ssl/ssl_client2.c

@@ -1672,7 +1672,9 @@ int main( int argc, char *argv[] )
     memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+    !defined(MBEDTLS_SSL_CONF_CID_LEN) &&      \
+    !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
     if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
     {
         if( opt.cid_enabled == 1        &&
@@ -1697,7 +1699,9 @@ int main( int argc, char *argv[] )
             goto exit;
         }
     }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+          !MBEDTLS_SSL_CONF_CID_LEN &&
+          !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
 
     if( opt.auth_mode != DFL_AUTH_MODE )
         mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );

programs/ssl/ssl_server2.c

@@ -2489,7 +2489,9 @@ int main( int argc, char *argv[] )
     };
 #endif
 
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+    !defined(MBEDTLS_SSL_CONF_CID_LEN) &&      \
+    !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
     if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
     {
         if( opt.cid_enabled == 1        &&
@@ -2514,7 +2516,9 @@ int main( int argc, char *argv[] )
             goto exit;
         }
     }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+          !MBEDTLS_SSL_CONF_CID_LEN &&
+          !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
 
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
     if( opt.trunc_hmac != DFL_TRUNC_HMAC )