Skip copying CIDs to SSL transforms until CID feature is complete
This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.
While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
decryption.
Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index af8bfde..c558a84 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -956,11 +956,14 @@
if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
- transform->in_cid_len = ssl->own_cid_len;
- transform->out_cid_len = ssl->handshake->peer_cid_len;
- memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
- memcpy( transform->out_cid, ssl->handshake->peer_cid,
- ssl->handshake->peer_cid_len );
+
+ /* Uncomment this once CID-parsing and support for a change
+ * record content type during record decryption are added. */
+ /* transform->in_cid_len = ssl->own_cid_len; */
+ /* transform->out_cid_len = ssl->handshake->peer_cid_len; */
+ /* memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len ); */
+ /* memcpy( transform->out_cid, ssl->handshake->peer_cid, */
+ /* ssl->handshake->peer_cid_len ); */
MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
transform->out_cid_len );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index de06532..bf8693d 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1321,11 +1321,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -c "Peer CID (length 2 Bytes): de ad" \
- -s "Peer CID (length 2 Bytes): be ef"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -c "Peer CID (length 2 Bytes): de ad" \
+# -s "Peer CID (length 2 Bytes): be ef"
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
@@ -1341,11 +1342,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -c "Peer CID (length 4 Bytes): de ad be ef" \
- -s "Peer CID (length 0 Bytes):"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -c "Peer CID (length 4 Bytes): de ad be ef" \
+# -s "Peer CID (length 0 Bytes):" \
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
@@ -1361,11 +1363,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -s "Peer CID (length 4 Bytes): de ad be ef" \
- -c "Peer CID (length 0 Bytes):"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -s "Peer CID (length 4 Bytes): de ad be ef" \
+# -c "Peer CID (length 0 Bytes):"
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \
@@ -1399,11 +1402,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -c "Peer CID (length 2 Bytes): de ad" \
- -s "Peer CID (length 2 Bytes): be ef"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -c "Peer CID (length 2 Bytes): de ad" \
+# -s "Peer CID (length 2 Bytes): be ef" \
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \
@@ -1419,11 +1423,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -c "Peer CID (length 4 Bytes): de ad be ef" \
- -s "Peer CID (length 0 Bytes):"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -c "Peer CID (length 4 Bytes): de ad be ef" \
+# -s "Peer CID (length 0 Bytes):" \
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \
@@ -1439,11 +1444,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -s "Peer CID (length 4 Bytes): de ad be ef" \
- -c "Peer CID (length 0 Bytes):"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -s "Peer CID (length 4 Bytes): de ad be ef" \
+# -c "Peer CID (length 0 Bytes):" \
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \
@@ -1477,11 +1483,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -c "Peer CID (length 2 Bytes): de ad" \
- -s "Peer CID (length 2 Bytes): be ef"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -c "Peer CID (length 2 Bytes): de ad" \
+# -s "Peer CID (length 2 Bytes): be ef" \
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \
@@ -1497,11 +1504,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -c "Peer CID (length 4 Bytes): de ad be ef" \
- -s "Peer CID (length 0 Bytes):"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -c "Peer CID (length 4 Bytes): de ad be ef" \
+# -s "Peer CID (length 0 Bytes):" \
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \
@@ -1517,11 +1525,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -s "Peer CID (length 4 Bytes): de ad be ef" \
- -c "Peer CID (length 0 Bytes):"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -s "Peer CID (length 4 Bytes): de ad be ef" \
+# -c "Peer CID (length 0 Bytes):" \
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \
@@ -1556,11 +1565,12 @@
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated" \
- -c "Peer CID (length 2 Bytes): de ad" \
- -s "Peer CID (length 2 Bytes): be ef"
+ -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+# -c "Peer CID (length 2 Bytes): de ad" \
+# -s "Peer CID (length 2 Bytes): be ef"
+# -s "Use of Connection ID has been negotiated" \
+# -c "Use of Connection ID has been negotiated" \
# Tests for Encrypt-then-MAC extension