diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 2e1b982cb..2ad39db7a 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1335,7 +1335,7 @@ * in the underlying transport. * * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, - * `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid_len()`. + * `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`. * See their documentation for more information. * * \warning The Connection ID extension is still in draft state. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b616a733f..6f35e58d3 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1114,6 +1114,11 @@ struct mbedtls_ssl_config unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in Certificate Request messages? */ #endif +#if defined(MBEDTLS_SSL_CID) + unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS + * record with unexpected CID + * should lead to failure. */ +#endif /* MBEDTLS_SSL_CID */ }; @@ -1572,7 +1577,7 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * MBEDTLS_SSL_CID_DISABLED. * * \note The value of \p own_cid_len must match the value of the - * \c len parameter passed to mbedtls_ssl_conf_cid_len() + * \c len parameter passed to mbedtls_ssl_conf_cid() * when configuring the ::mbedtls_ssl_config that \p ssl * is bound to. * @@ -2305,14 +2310,27 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ); #if defined(MBEDTLS_SSL_CID) +#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 0 +#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 1 /** - * \brief Specify the length of CIDs for incoming encrypted - * DTLS records. (Default: \c 0) + * \brief Specify the length of CIDs for incoming encrypted DTLS + * records and specify the behaviour on unexpected CIDs. + * + * By default, the CID length is set to \c 0, + * and unexpected CIDs are silently ignored. * * \param conf The SSL configuration to modify. * \param len The length in Bytes of the CID fields in encrypted * DTLS records using the CID mechanism. This must * not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX. + * \param ignore_other_cid This determines the stack's behaviour when + * receiving a record with an unexpected CID. + * Possible values are: + * - #MBEDTLS_SSL_UNEXPECTED_CID_IGNORE + * In this case, the record is silently ignored. + * - #MBEDTLS_SSL_UNEXPECTED_CID_FAIL + * In this case, the stack fails with the specific + * error code #MBEDTLS_ERR_SSL_UNEXPECTED_CID. * * \note The CID specification allows implementations to either * use a common length for all incoming connection IDs or @@ -2325,7 +2343,8 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len * is too large. */ -int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf, size_t len ); +int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, + int ignore_other_cids ); #endif /* MBEDTLS_SSL_CID */ /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 428bab740..df11bb604 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -122,12 +122,15 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl ); /* WARNING: The CID feature isn't fully implemented yet * and will not be used. */ -int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf, - size_t len ) +int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, + size_t len, + int ignore_other_cid ) { if( len > MBEDTLS_SSL_CID_IN_LEN_MAX ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + conf->ignore_unexpected_cid = + ( ignore_other_cid == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); conf->cid_len = len; return( 0 ); } @@ -2570,12 +2573,10 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl, /* * Match record's CID with incoming CID. */ - if( rec->cid_len != transform->in_cid_len || memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) { - /* Silently skip over record with mismatching CID. */ - return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_CID ); } #endif /* MBEDTLS_SSL_CID */ @@ -5094,8 +5095,15 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) &rec ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); - if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) + +#if defined(MBEDTLS_SSL_CID) + if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID && + ssl->conf->ignore_unexpected_cid + == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ) + { ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; + } +#endif /* MBEDTLS_SSL_CID */ return( ret ); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 5a5cc149a..60f922f32 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1842,9 +1842,11 @@ int main( int argc, char *argv[] ) if( opt.cid_enabled == 1 ) - ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); + ret = mbedtls_ssl_conf_cid( &conf, cid_len, + MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); else - ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len ); + ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len, + MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); if( ret != 0 ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index cc74c83b7..1721daec0 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2727,9 +2727,11 @@ int main( int argc, char *argv[] ) } if( opt.cid_enabled == 1 ) - ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); + ret = mbedtls_ssl_conf_cid( &conf, cid_len, + MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); else - ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len ); + ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len, + MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); if( ret != 0 ) {