commit e8eff9a5170c17b9db038f370f62d95354f8b2c5
author Hanno Becker <hanno.becker@arm.com> Tue May 14 11:30:10 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Mon May 20 15:32:36 2019 +0100
tree 29a3c8ee84056688ba1abcdfceac2de2ca001b93
parent 7c3cdb62de1583ee53c4c3da8ad60bc2fa460f1e

Allow to configure the stack's behaviour on unexpected CIDs

This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len()
to allow the configuration of the stack's behaviour when receiving an
encrypted DTLS record with unexpected CID.

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 869463e..d29c7bd 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1044,6 +1044,11 @@
     unsigned int cert_req_ca_list : 1;  /*!< enable sending CA list in
                                           Certificate Request messages?     */
 #endif
+#if defined(MBEDTLS_SSL_CID)
+    unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
+                                             *   record with unexpected CID
+                                             *   should lead to failure.    */
+#endif /* MBEDTLS_SSL_CID */
 };
 
 
@@ -1492,7 +1497,7 @@
  *                    MBEDTLS_SSL_CID_DISABLED.
  *
  * \note              The value of \p own_cid_len must match the value of the
- *                    \c len parameter passed to mbedtls_ssl_conf_cid_len()
+ *                    \c len parameter passed to mbedtls_ssl_conf_cid()
  *                    when configuring the ::mbedtls_ssl_config that \p ssl
  *                    is bound to.
  *
@@ -2152,14 +2157,27 @@
                                    const int *ciphersuites );
 
 #if defined(MBEDTLS_SSL_CID)
+#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL   0
+#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 1
 /**
- * \brief               Specify the length of CIDs for incoming encrypted
- *                      DTLS records. (Default: \c 0)
+ * \brief               Specify the length of CIDs for incoming encrypted DTLS
+ *                      records and specify the behaviour on unexpected CIDs.
+ *
+ *                      By default, the CID length is set to \c 0,
+ *                      and unexpected CIDs are silently ignored.
  *
  * \param conf          The SSL configuration to modify.
  * \param len           The length in Bytes of the CID fields in encrypted
  *                      DTLS records using the CID mechanism. This must
  *                      not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX.
+ * \param ignore_other_cid  This determines the stack's behaviour when
+ *                          receiving a record with an unexpected CID.
+ *                          Possible values are:
+ *                          - #MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
+ *                            In this case, the record is silently ignored.
+ *                          - #MBEDTLS_SSL_UNEXPECTED_CID_FAIL
+ *                            In this case, the stack fails with the specific
+ *                            error code #MBEDTLS_ERR_SSL_UNEXPECTED_CID.
  *
  * \note                The CID specification allows implementations to either
  *                      use a common length for all incoming connection IDs or
@@ -2172,7 +2190,8 @@
  * \return              #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
  *                      is too large.
  */
-int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf, size_t len );
+int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
+                          int ignore_other_cids );
 #endif /* MBEDTLS_SSL_CID */
 
 /**