yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Skip copying CIDs to SSL transforms until CID feature is complete

Browse source 
This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.

While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
  decryption.

Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.
This commit is contained in:
Hanno Becker 2019-04-30 13:52:29 +01:00
parent 8b3eb5ab82
commit 8a7f972202
2 changed files with 68 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
library/ssl_tls.c
View file

@ -956,11 +956,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
transform->in_cid_len = ssl->own_cid_len;
transform->out_cid_len = ssl->handshake->peer_cid_len;
memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
memcpy( transform->out_cid, ssl->handshake->peer_cid,
ssl->handshake->peer_cid_len );
/* Uncomment this once CID-parsing and support for a change
* record content type during record decryption are added. */
/* transform->in_cid_len = ssl->own_cid_len; */
/* transform->out_cid_len = ssl->handshake->peer_cid_len; */
/* memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len ); */
/* memcpy( transform->out_cid, ssl->handshake->peer_cid, */
/* ssl->handshake->peer_cid_len ); */
MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
transform->out_cid_len );

110
tests/ssl-opt.sh
View file

@ -1321,11 +1321,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 2 Bytes): de ad" \
# -s "Peer CID (length 2 Bytes): be ef"
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
@ -1341,11 +1342,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 4 Bytes): de ad be ef" \
# -s "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
@ -1361,11 +1363,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -s "Peer CID (length 4 Bytes): de ad be ef" \
# -c "Peer CID (length 0 Bytes):"
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \
@ -1399,11 +1402,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 2 Bytes): de ad" \
# -s "Peer CID (length 2 Bytes): be ef" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \
@ -1419,11 +1423,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 4 Bytes): de ad be ef" \
# -s "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \
@ -1439,11 +1444,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -s "Peer CID (length 4 Bytes): de ad be ef" \
# -c "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \
@ -1477,11 +1483,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 2 Bytes): de ad" \
# -s "Peer CID (length 2 Bytes): be ef" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \
@ -1497,11 +1504,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 4 Bytes): de ad be ef" \
-s "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 4 Bytes): de ad be ef" \
# -s "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \
@ -1517,11 +1525,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-s "Peer CID (length 4 Bytes): de ad be ef" \
-c "Peer CID (length 0 Bytes):"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -s "Peer CID (length 4 Bytes): de ad be ef" \
# -c "Peer CID (length 0 Bytes):" \
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
requires_config_enabled MBEDTLS_SSL_CID
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \
@ -1556,11 +1565,12 @@ run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \
-c "found CID extension" \
-c "Use of CID extension negotiated" \
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \
-s "Use of Connection ID has been negotiated" \
-c "Use of Connection ID has been negotiated" \
-c "Peer CID (length 2 Bytes): de ad" \
-s "Peer CID (length 2 Bytes): be ef"
-c "Copy CIDs into SSL transform"
# Uncomment once CID is fully implemented
# -c "Peer CID (length 2 Bytes): de ad" \
# -s "Peer CID (length 2 Bytes): be ef"
# -s "Use of Connection ID has been negotiated" \
# -c "Use of Connection ID has been negotiated" \
# Tests for Encrypt-then-MAC extension