Add support for change of CID to ssl_client2 / ssl_server2
And add tests for various CID configuration changes during
renegotiation to ssl-opt.sh.
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 53523dc..61b048f 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -105,6 +105,8 @@
#define DFL_RECO_DELAY 0
#define DFL_CID_ENABLED 0
#define DFL_CID_VALUE ""
+#define DFL_CID_ENABLED_RENEGO -1
+#define DFL_CID_VALUE_RENEGO NULL
#define DFL_RECONNECT_HARD 0
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
#define DFL_ALPN_STRING NULL
@@ -143,8 +145,12 @@
#define USAGE_CID \
" cid=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \
" default: 0 (disabled)\n" \
+ " cid_renego=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension during renegotiation.\n" \
+ " default: same as 'cid'\n" \
" cid_val=%%s The CID to use for incoming messages (in hex, without 0x).\n" \
- " default: \"\"\n"
+ " default: \"\"\n" \
+ " cid_val_renego=%%s The CID to use for incoming messages (in hex, without 0x) after renegotiation.\n" \
+ " default: same as cid_val\n"
#else /* MBEDTLS_SSL_CID */
#define USAGE_CID ""
#endif /* MBEDTLS_SSL_CID */
@@ -399,7 +405,11 @@
int extended_ms; /* negotiate extended master secret? */
int etm; /* negotiate encrypt then mac? */
int cid_enabled; /* whether to use the CID extension or not */
+ int cid_enabled_renego; /* whether to use the CID extension or not
+ * during renegotiation */
const char *cid_val; /* the CID to use for incoming messages */
+ const char *cid_val_renego; /* the CID to use for incoming messages
+ * after renegotiation */
} opt;
int query_config( const char *config );
@@ -590,6 +600,56 @@
return( 0 );
}
+#if defined(MBEDTLS_SSL_CID)
+int report_cid_usage( mbedtls_ssl_context *ssl,
+ const char *additional_description )
+{
+ int ret;
+ unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
+ size_t peer_cid_len;
+ int cid_negotiated;
+
+ if( opt.transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+ return( 0 );
+
+ /* Check if the use of a CID has been negotiated */
+ ret = mbedtls_ssl_get_peer_cid( ssl, &cid_negotiated,
+ peer_cid, &peer_cid_len );
+ if( ret != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n",
+ -ret );
+ return( ret );
+ }
+
+ if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED )
+ {
+ if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED )
+ {
+ mbedtls_printf( "(%s) Use of Connection ID was rejected by the server.\n",
+ additional_description );
+ }
+ }
+ else
+ {
+ size_t idx=0;
+ mbedtls_printf( "(%s) Use of Connection ID has been negotiated.\n",
+ additional_description );
+ mbedtls_printf( "(%s) Peer CID (length %u Bytes): ",
+ additional_description,
+ (unsigned) peer_cid_len );
+ while( idx < peer_cid_len )
+ {
+ mbedtls_printf( "%02x ", peer_cid[ idx ] );
+ idx++;
+ }
+ mbedtls_printf( "\n" );
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_CID */
+
int main( int argc, char *argv[] )
{
int ret = 0, len, tail_len, i, written, frags, retry_left;
@@ -604,7 +664,9 @@
#if defined(MBEDTLS_SSL_CID)
unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
+ unsigned char cid_renego[MBEDTLS_SSL_CID_IN_LEN_MAX];
size_t cid_len = 0;
+ size_t cid_renego_len = 0;
#endif
#if defined(MBEDTLS_SSL_ALPN)
@@ -682,6 +744,8 @@
opt.debug_level = DFL_DEBUG_LEVEL;
opt.cid_enabled = DFL_CID_ENABLED;
opt.cid_val = DFL_CID_VALUE;
+ opt.cid_enabled_renego = DFL_CID_ENABLED_RENEGO;
+ opt.cid_val_renego = DFL_CID_VALUE_RENEGO;
opt.nbio = DFL_NBIO;
opt.event = DFL_EVENT;
opt.read_timeout = DFL_READ_TIMEOUT;
@@ -798,10 +862,20 @@
if( opt.cid_enabled != 0 && opt.cid_enabled != 1 )
goto usage;
}
+ else if( strcmp( p, "cid_renego" ) == 0 )
+ {
+ opt.cid_enabled_renego = atoi( q );
+ if( opt.cid_enabled_renego != 0 && opt.cid_enabled_renego != 1 )
+ goto usage;
+ }
else if( strcmp( p, "cid_val" ) == 0 )
{
opt.cid_val = q;
}
+ else if( strcmp( p, "cid_val_renego" ) == 0 )
+ {
+ opt.cid_val_renego = q;
+ }
#endif /* MBEDTLS_SSL_CID */
else if( strcmp( p, "psk" ) == 0 )
opt.psk = q;
@@ -1145,21 +1219,38 @@
}
#if defined(MBEDTLS_SSL_CID)
- if( strlen( opt.cid_val ) )
- {
- cid_len = strlen( opt.cid_val ) / 2;
- if( cid_len > sizeof( cid ) )
- {
- mbedtls_printf( "CID too long\n" );
- goto exit;
- }
+ cid_len = strlen( opt.cid_val ) / 2;
+ if( cid_len > sizeof( cid ) )
+ {
+ mbedtls_printf( "CID too long\n" );
+ goto exit;
+ }
- if( unhexify( opt.cid_val, cid ) != 0 )
- {
- mbedtls_printf( "CID not valid hex\n" );
- goto exit;
- }
- }
+ if( unhexify( opt.cid_val, cid ) != 0 )
+ {
+ mbedtls_printf( "CID not valid hex\n" );
+ goto exit;
+ }
+
+ /* Keep CID settings for renegotiation unless
+ * specified otherwise. */
+ if( opt.cid_enabled_renego == DFL_CID_ENABLED_RENEGO )
+ opt.cid_enabled_renego = opt.cid_enabled;
+ if( opt.cid_val_renego == DFL_CID_VALUE_RENEGO )
+ opt.cid_val_renego = opt.cid_val;
+
+ cid_renego_len = strlen( opt.cid_val_renego ) / 2;
+ if( cid_renego_len > sizeof( cid_renego ) )
+ {
+ mbedtls_printf( "CID too long\n" );
+ goto exit;
+ }
+
+ if( unhexify( opt.cid_val_renego, cid_renego ) != 0 )
+ {
+ mbedtls_printf( "CID not valid hex\n" );
+ goto exit;
+ }
#endif /* MBEDTLS_SSL_CID */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1447,9 +1538,22 @@
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_CID)
- if( opt.cid_enabled == 1 )
+ if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{
- ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
+ if( opt.cid_enabled == 1 &&
+ opt.cid_enabled_renego == 1 &&
+ cid_len != cid_renego_len )
+ {
+ mbedtls_printf( "CID length must not change during renegotiation\n" );
+ goto usage;
+ }
+
+
+ if( opt.cid_enabled == 1 )
+ ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
+ else
+ ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len );
+
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_cid_len returned %d\n\n",
@@ -1769,41 +1873,19 @@
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_CID)
+ ret = report_cid_usage( &ssl, "initial handshake" );
+ if( ret != 0 )
+ goto exit;
+
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
- unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
- size_t peer_cid_len;
- int cid_negotiated;
-
- /* Check if the use of a CID has been negotiated */
- ret = mbedtls_ssl_get_peer_cid( &ssl, &cid_negotiated,
- peer_cid, &peer_cid_len );
- if( ret != 0 )
+ if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled_renego,
+ cid_renego,
+ cid_renego_len ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n",
- -ret );
- goto exit;
- }
-
- if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED )
- {
- if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED )
- {
- mbedtls_printf( "Use of Connection ID was rejected by the server.\n" );
- }
- }
- else
- {
- size_t idx=0;
- mbedtls_printf( "Use of Connection ID has been negotiated.\n" );
- mbedtls_printf( "Peer CID (length %u Bytes): ",
- (unsigned) peer_cid_len );
- while( idx < peer_cid_len )
- {
- mbedtls_printf( "%02x ", peer_cid[ idx ] );
- idx++;
- }
- mbedtls_printf( "\n" );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n",
+ ret );
+ return( ret );
}
}
#endif /* MBEDTLS_SSL_CID */
@@ -1848,6 +1930,12 @@
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
+#if defined(MBEDTLS_SSL_CID)
+ ret = report_cid_usage( &ssl, "after renegotiation" );
+ if( ret != 0 )
+ goto exit;
+#endif /* MBEDTLS_SSL_CID */
+
/*
* 6. Write the GET request
*/
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 910bd52..6b5edb2 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -139,6 +139,8 @@
#define DFL_SHA1 -1
#define DFL_CID_ENABLED 0
#define DFL_CID_VALUE ""
+#define DFL_CID_ENABLED_RENEGO -1
+#define DFL_CID_VALUE_RENEGO NULL
#define DFL_AUTH_MODE -1
#define DFL_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
@@ -228,8 +230,12 @@
#define USAGE_CID \
" cid=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \
" default: 0 (disabled)\n" \
+ " cid_renego=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension during renegotiation.\n" \
+ " default: same as 'cid'\n" \
" cid_val=%%s The CID to use for incoming messages (in hex, without 0x).\n" \
- " default: \"\"\n"
+ " default: \"\"\n" \
+ " cid_val_renego=%%s The CID to use for incoming messages (in hex, without 0x) after renegotiation.\n" \
+ " default: same as 'cid_val'\n"
#else /* MBEDTLS_SSL_CID */
#define USAGE_CID ""
#endif /* MBEDTLS_SSL_CID */
@@ -523,7 +529,11 @@
int dgram_packing; /* allow/forbid datagram packing */
int badmac_limit; /* Limit of records with bad MAC */
int cid_enabled; /* whether to use the CID extension or not */
+ int cid_enabled_renego; /* whether to use the CID extension or not
+ * during renegotiation */
const char *cid_val; /* the CID to use for incoming messages */
+ const char *cid_val_renego; /* the CID to use for incoming messages
+ * after renegotiation */
} opt;
int query_config( const char *config );
@@ -1214,6 +1224,56 @@
return( 0 );
}
+#if defined(MBEDTLS_SSL_CID)
+int report_cid_usage( mbedtls_ssl_context *ssl,
+ const char *additional_description )
+{
+ int ret;
+ unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
+ size_t peer_cid_len;
+ int cid_negotiated;
+
+ if( opt.transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+ return( 0 );
+
+ /* Check if the use of a CID has been negotiated */
+ ret = mbedtls_ssl_get_peer_cid( ssl, &cid_negotiated,
+ peer_cid, &peer_cid_len );
+ if( ret != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n",
+ -ret );
+ return( ret );
+ }
+
+ if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED )
+ {
+ if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED )
+ {
+ mbedtls_printf( "(%s) Use of Connection ID was not offered by client.\n",
+ additional_description );
+ }
+ }
+ else
+ {
+ size_t idx=0;
+ mbedtls_printf( "(%s) Use of Connection ID has been negotiated.\n",
+ additional_description );
+ mbedtls_printf( "(%s) Peer CID (length %u Bytes): ",
+ additional_description,
+ (unsigned) peer_cid_len );
+ while( idx < peer_cid_len )
+ {
+ mbedtls_printf( "%02x ", peer_cid[ idx ] );
+ idx++;
+ }
+ mbedtls_printf( "\n" );
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_CID */
+
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges_left;
@@ -1281,7 +1341,9 @@
#if defined(MBEDTLS_SSL_CID)
unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
+ unsigned char cid_renego[MBEDTLS_SSL_CID_IN_LEN_MAX];
size_t cid_len = 0;
+ size_t cid_renego_len = 0;
#endif
int i;
@@ -1362,7 +1424,9 @@
opt.response_size = DFL_RESPONSE_SIZE;
opt.nbio = DFL_NBIO;
opt.cid_enabled = DFL_CID_ENABLED;
+ opt.cid_enabled_renego = DFL_CID_ENABLED_RENEGO;
opt.cid_val = DFL_CID_VALUE;
+ opt.cid_val_renego = DFL_CID_VALUE_RENEGO;
opt.read_timeout = DFL_READ_TIMEOUT;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
@@ -1508,10 +1572,20 @@
if( opt.cid_enabled != 0 && opt.cid_enabled != 1 )
goto usage;
}
+ else if( strcmp( p, "cid_renego" ) == 0 )
+ {
+ opt.cid_enabled_renego = atoi( q );
+ if( opt.cid_enabled_renego != 0 && opt.cid_enabled_renego != 1 )
+ goto usage;
+ }
else if( strcmp( p, "cid_val" ) == 0 )
{
opt.cid_val = q;
}
+ else if( strcmp( p, "cid_val_renego" ) == 0 )
+ {
+ opt.cid_val_renego = q;
+ }
#endif /* MBEDTLS_SSL_CID */
else if( strcmp( p, "psk" ) == 0 )
opt.psk = q;
@@ -1920,22 +1994,26 @@
}
}
-#if defined(MBEDTLS_SSL_CID)
- if( strlen( opt.cid_val ) )
- {
- cid_len = strlen( opt.cid_val ) / 2;
- if( cid_len > sizeof( cid ) )
- {
- mbedtls_printf( "CID too long\n" );
- goto exit;
- }
- if( unhexify( cid, opt.cid_val, &cid_len ) != 0 )
- {
- mbedtls_printf( "CID not valid hex\n" );
- goto exit;
- }
- }
+#if defined(MBEDTLS_SSL_CID)
+ if( unhexify( cid, opt.cid_val, &cid_len ) != 0 )
+ {
+ mbedtls_printf( "CID not valid hex\n" );
+ goto exit;
+ }
+
+ /* Keep CID settings for renegotiation unless
+ * specified otherwise. */
+ if( opt.cid_enabled_renego == DFL_CID_ENABLED_RENEGO )
+ opt.cid_enabled_renego = opt.cid_enabled;
+ if( opt.cid_val_renego == DFL_CID_VALUE_RENEGO )
+ opt.cid_val_renego = opt.cid_val;
+
+ if( unhexify( cid_renego, opt.cid_val_renego, &cid_renego_len ) != 0 )
+ {
+ mbedtls_printf( "CID not valid hex\n" );
+ goto exit;
+ }
#endif /* MBEDTLS_SSL_CID */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -2310,9 +2388,21 @@
#endif
#if defined(MBEDTLS_SSL_CID)
- if( opt.cid_enabled == 1 )
+ if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{
- ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
+ if( opt.cid_enabled == 1 &&
+ opt.cid_enabled_renego == 1 &&
+ cid_len != cid_renego_len )
+ {
+ mbedtls_printf( "CID length must not change during renegotiation\n" );
+ goto usage;
+ }
+
+ if( opt.cid_enabled == 1 )
+ ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
+ else
+ ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len );
+
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_cid_len returned %d\n\n",
@@ -2869,42 +2959,19 @@
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_CID)
+ ret = report_cid_usage( &ssl, "initial handshake" );
+ if( ret != 0 )
+ goto exit;
+
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
- unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
- size_t peer_cid_len;
- int cid_negotiated;
-
- /* Check if the use of a CID has been negotiated */
- ret = mbedtls_ssl_get_peer_cid( &ssl, &cid_negotiated,
- peer_cid, &peer_cid_len );
- if( ret != 0 )
+ if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled_renego,
+ cid_renego, cid_renego_len ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n",
- -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n",
+ ret );
goto exit;
}
-
- if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED )
- {
- if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED )
- {
- mbedtls_printf( "Use of Connection ID was not offered by the client.\n" );
- }
- }
- else
- {
- size_t idx=0;
- mbedtls_printf( "Use of Connection ID has been negotiated.\n" );
- mbedtls_printf( "Peer CID (length %u Bytes): ",
- (unsigned) peer_cid_len );
- while( idx < peer_cid_len )
- {
- mbedtls_printf( "%02x ", peer_cid[ idx ] );
- idx++;
- }
- mbedtls_printf( "\n" );
- }
}
#endif /* MBEDTLS_SSL_CID */
@@ -3118,6 +3185,10 @@
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
+ ret = report_cid_usage( &ssl, "after renegotiation" );
+ if( ret != 0 )
+ goto exit;
+
/*
* 7. Write the 200 Response
*/
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 020abd2..ebee0fd 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1385,24 +1385,93 @@
requires_config_enabled MBEDTLS_SSL_CID
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
-run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \
+run_test "(STUB) Connection ID: Client+Server enabled, renegotiate without change of CID" \
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
0 \
- -c "Enable use of CID extension." \
- -s "Enable use of CID extension." \
- -c "client hello, adding CID extension" \
- -s "found CID extension" \
- -s "Use of CID extension negotiated" \
- -s "server hello, adding CID extension" \
- -c "found CID extension" \
- -c "Use of CID extension negotiated" \
- -s "Copy CIDs into SSL transform" \
- -c "Copy CIDs into SSL transform" \
- -c "Peer CID (length 2 Bytes): de ad" \
- -s "Peer CID (length 2 Bytes): be ef" \
- -s "Use of Connection ID has been negotiated" \
- -c "Use of Connection ID has been negotiated"
+ -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
+ -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
+ -s "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
+ -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
+ -s "(after renegotiation) Use of Connection ID has been negotiated" \
+ -c "(after renegotiation) Use of Connection ID has been negotiated"
+
+requires_config_enabled MBEDTLS_SSL_CID
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "(STUB) Connection ID: Client+Server enabled, renegotiate with different CID" \
+ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
+ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
+ 0 \
+ -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
+ -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
+ -s "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
+ -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
+ -s "(after renegotiation) Use of Connection ID has been negotiated" \
+ -c "(after renegotiation) Use of Connection ID has been negotiated"
+
+requires_config_enabled MBEDTLS_SSL_CID
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "(STUB) Connection ID: Client+Server enabled, renegotiate without CID" \
+ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
+ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
+ 0 \
+ -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
+ -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
+ -s "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(initial handshake) Use of Connection ID has been negotiated" \
+ -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
+ -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
+ -C "(after renegotiation) Use of Connection ID has been negotiated" \
+ -S "(after renegotiation) Use of Connection ID has been negotiated"
+
+requires_config_enabled MBEDTLS_SSL_CID
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "(STUB) Connection ID: Client+Server enabled, CID on renegotiation" \
+ "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
+ "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
+ 0 \
+ -S "(initial handshake) Use of Connection ID has been negotiated" \
+ -C "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
+ -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
+ -c "(after renegotiation) Use of Connection ID has been negotiated" \
+ -s "(after renegotiation) Use of Connection ID has been negotiated"
+
+requires_config_enabled MBEDTLS_SSL_CID
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "(STUB) Connection ID: Client+Server enabled, client disables on renegotiation" \
+ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
+ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
+ 0 \
+ -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
+ -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
+ -s "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(initial handshake) Use of Connection ID has been negotiated" \
+ -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
+ -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
+ -C "(after renegotiation) Use of Connection ID has been negotiated" \
+ -S "(after renegotiation) Use of Connection ID has been negotiated" \
+ -s "(after renegotiation) Use of Connection ID was not offered by client"
+
+requires_config_enabled MBEDTLS_SSL_CID
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "(STUB) Connection ID: Client+Server enabled, server disables on renegotiation" \
+ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
+ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
+ 0 \
+ -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
+ -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
+ -s "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(initial handshake) Use of Connection ID has been negotiated" \
+ -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
+ -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
+ -C "(after renegotiation) Use of Connection ID has been negotiated" \
+ -S "(after renegotiation) Use of Connection ID has been negotiated" \
+ -c "(after renegotiation) Use of Connection ID was rejected by the server"
# Tests for Encrypt-then-MAC extension