mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 08:05:45 +01:00
Allow to configure the stack's behaviour on unexpected CIDs
This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len() to allow the configuration of the stack's behaviour when receiving an encrypted DTLS record with unexpected CID.
This commit is contained in:
parent
c37c96a3c5
commit
8367ccc03b
@ -1335,7 +1335,7 @@
|
||||
* in the underlying transport.
|
||||
*
|
||||
* Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
|
||||
* `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid_len()`.
|
||||
* `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`.
|
||||
* See their documentation for more information.
|
||||
*
|
||||
* \warning The Connection ID extension is still in draft state.
|
||||
|
@ -1114,6 +1114,11 @@ struct mbedtls_ssl_config
|
||||
unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in
|
||||
Certificate Request messages? */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
|
||||
* record with unexpected CID
|
||||
* should lead to failure. */
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
};
|
||||
|
||||
|
||||
@ -1572,7 +1577,7 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
|
||||
* MBEDTLS_SSL_CID_DISABLED.
|
||||
*
|
||||
* \note The value of \p own_cid_len must match the value of the
|
||||
* \c len parameter passed to mbedtls_ssl_conf_cid_len()
|
||||
* \c len parameter passed to mbedtls_ssl_conf_cid()
|
||||
* when configuring the ::mbedtls_ssl_config that \p ssl
|
||||
* is bound to.
|
||||
*
|
||||
@ -2305,14 +2310,27 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
|
||||
const int *ciphersuites );
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 0
|
||||
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 1
|
||||
/**
|
||||
* \brief Specify the length of CIDs for incoming encrypted
|
||||
* DTLS records. (Default: \c 0)
|
||||
* \brief Specify the length of CIDs for incoming encrypted DTLS
|
||||
* records and specify the behaviour on unexpected CIDs.
|
||||
*
|
||||
* By default, the CID length is set to \c 0,
|
||||
* and unexpected CIDs are silently ignored.
|
||||
*
|
||||
* \param conf The SSL configuration to modify.
|
||||
* \param len The length in Bytes of the CID fields in encrypted
|
||||
* DTLS records using the CID mechanism. This must
|
||||
* not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX.
|
||||
* \param ignore_other_cid This determines the stack's behaviour when
|
||||
* receiving a record with an unexpected CID.
|
||||
* Possible values are:
|
||||
* - #MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
|
||||
* In this case, the record is silently ignored.
|
||||
* - #MBEDTLS_SSL_UNEXPECTED_CID_FAIL
|
||||
* In this case, the stack fails with the specific
|
||||
* error code #MBEDTLS_ERR_SSL_UNEXPECTED_CID.
|
||||
*
|
||||
* \note The CID specification allows implementations to either
|
||||
* use a common length for all incoming connection IDs or
|
||||
@ -2325,7 +2343,8 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
|
||||
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
|
||||
* is too large.
|
||||
*/
|
||||
int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf, size_t len );
|
||||
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
|
||||
int ignore_other_cids );
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
/**
|
||||
|
@ -122,12 +122,15 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
|
||||
|
||||
/* WARNING: The CID feature isn't fully implemented yet
|
||||
* and will not be used. */
|
||||
int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf,
|
||||
size_t len )
|
||||
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
|
||||
size_t len,
|
||||
int ignore_other_cid )
|
||||
{
|
||||
if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
conf->ignore_unexpected_cid =
|
||||
( ignore_other_cid == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
|
||||
conf->cid_len = len;
|
||||
return( 0 );
|
||||
}
|
||||
@ -2570,12 +2573,10 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
||||
/*
|
||||
* Match record's CID with incoming CID.
|
||||
*/
|
||||
|
||||
if( rec->cid_len != transform->in_cid_len ||
|
||||
memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
|
||||
{
|
||||
/* Silently skip over record with mismatching CID. */
|
||||
return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
|
||||
return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
@ -5094,8 +5095,15 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
||||
&rec ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
|
||||
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
|
||||
ssl->conf->ignore_unexpected_cid
|
||||
== MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
@ -1842,9 +1842,11 @@ int main( int argc, char *argv[] )
|
||||
|
||||
|
||||
if( opt.cid_enabled == 1 )
|
||||
ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
|
||||
ret = mbedtls_ssl_conf_cid( &conf, cid_len,
|
||||
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
|
||||
else
|
||||
ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len );
|
||||
ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len,
|
||||
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
|
||||
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
@ -2727,9 +2727,11 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
|
||||
if( opt.cid_enabled == 1 )
|
||||
ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
|
||||
ret = mbedtls_ssl_conf_cid( &conf, cid_len,
|
||||
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
|
||||
else
|
||||
ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len );
|
||||
ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len,
|
||||
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
|
||||
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user