commit e0200dad634d4ce61d2c835fa620ddb55b821101
author Hanno Becker <hanno.becker@arm.com> Thu Jun 13 09:23:43 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Tue Jul 02 16:41:35 2019 +0100
tree a77ffee45dcae2e5169a75a08404a88c8dec76de
parent b0b2b675681d94d70d0afe2ebb030df74be92c90

Allow configuration of ConnectionID at compile-time

Introduces
- MBEDTLS_SSL_CONF_CID_LEN and
- MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID
to control
- the length of incoming CIDs
- the behaviour in receipt of unexpected CIDs
at compile-time.

Impact on code-size:

|  | GCC 82.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23223 | 23865 | 26775 |
| `libmbedtls.a` after  | 23147 | 23781 | 26703 |
| gain in Bytes | 76 | 84 | 72 |

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 65cdd49..7729cbc 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -117,6 +117,9 @@
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 /* Top-level Connection ID API */
 
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+    !defined(MBEDTLS_SSL_CONF_CID_LEN) &&      \
+    !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
 int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
                           size_t len,
                           int ignore_other_cid )
@@ -134,6 +137,21 @@
     conf->cid_len = len;
     return( 0 );
 }
+#else  /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+          !MBEDTLS_SSL_CONF_CID_LEN &&
+          !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+
+#if MBEDTLS_SSL_CONF_CID_LEN > MBEDTLS_SSL_CID_IN_LEN_MAX
+#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_CID_LEN"
+#endif
+#if MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE && \
+    MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_FAIL
+#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID"
+#endif
+
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+          !MBEDTLS_SSL_CONF_CID_LEN &&
+          !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
 
 int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
                          int enable,
@@ -152,11 +170,11 @@
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
     MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
 
-    if( own_cid_len != ssl->conf->cid_len )
+    if( own_cid_len != mbedtls_ssl_conf_get_cid_len( ssl->conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
                                     (unsigned) own_cid_len,
-                                    (unsigned) ssl->conf->cid_len ) );
+                                    (unsigned) mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) );
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
 
@@ -4617,7 +4635,7 @@
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
     if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
         ssl->in_msgtype      == MBEDTLS_SSL_MSG_CID            &&
-        ssl->conf->cid_len   != 0 )
+        mbedtls_ssl_conf_get_cid_len( ssl->conf ) != 0 )
     {
         /* Shift pointers to account for record header including CID
          * struct {
@@ -4634,7 +4652,7 @@
 
         /* So far, we only support static CID lengths
          * fixed in the configuration. */
-        ssl->in_len = ssl->in_cid + ssl->conf->cid_len;
+        ssl->in_len = ssl->in_cid + mbedtls_ssl_conf_get_cid_len( ssl->conf );
         ssl->in_iv  = ssl->in_msg = ssl->in_len + 2;
     }
     else
@@ -4863,8 +4881,8 @@
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
             if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
-                ssl->conf->ignore_unexpected_cid
-                    == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
+                mbedtls_ssl_conf_get_ignore_unexpected_cid( ssl->conf )
+                  == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
                 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;