Document behaviour of mbedtls_ssl_get_peer_cid() for empty CIDs
This commit is contained in:
parent
5a29990367
commit
c5f2422116
2 changed files with 11 additions and 5 deletions
|
@ -1628,6 +1628,13 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
|
|||
* progress, this function will attempt to complete
|
||||
* the handshake first.
|
||||
*
|
||||
* \note If CID extensions have been exchanged but both client
|
||||
* and server chose to use an empty CID, this function
|
||||
* sets `*enabled` to #MBEDTLS_SSL_CID_DISABLED
|
||||
* (the rationale for this is that the resulting
|
||||
* communication is the same as if the CID extensions
|
||||
* hadn't been used).
|
||||
*
|
||||
* \return \c 0 on success.
|
||||
* \return A negative error code on failure.
|
||||
*/
|
||||
|
|
|
@ -165,11 +165,10 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
|
|||
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
/* What shall we report if we have exchanged if both client
|
||||
* and server have used the CID extension, but negotiated
|
||||
* empty CIDs? This is indistinguishable from not using the
|
||||
* CID extension in the first place, and we're reporting
|
||||
* MBEDTLS_SSL_CID_DISABLED in this case. */
|
||||
/* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
|
||||
* were used, but client and server requested the empty CID.
|
||||
* This is indistinguishable from not using the CID extension
|
||||
* in the first place. */
|
||||
if( ssl->transform_in->in_cid_len == 0 &&
|
||||
ssl->transform_in->out_cid_len == 0 )
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue