diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 53523dc78..61b048fc8 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -105,6 +105,8 @@ int main( void ) #define DFL_RECO_DELAY 0 #define DFL_CID_ENABLED 0 #define DFL_CID_VALUE "" +#define DFL_CID_ENABLED_RENEGO -1 +#define DFL_CID_VALUE_RENEGO NULL #define DFL_RECONNECT_HARD 0 #define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED #define DFL_ALPN_STRING NULL @@ -143,8 +145,12 @@ int main( void ) #define USAGE_CID \ " cid=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \ " default: 0 (disabled)\n" \ + " cid_renego=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension during renegotiation.\n" \ + " default: same as 'cid'\n" \ " cid_val=%%s The CID to use for incoming messages (in hex, without 0x).\n" \ - " default: \"\"\n" + " default: \"\"\n" \ + " cid_val_renego=%%s The CID to use for incoming messages (in hex, without 0x) after renegotiation.\n" \ + " default: same as cid_val\n" #else /* MBEDTLS_SSL_CID */ #define USAGE_CID "" #endif /* MBEDTLS_SSL_CID */ @@ -399,7 +405,11 @@ struct options int extended_ms; /* negotiate extended master secret? */ int etm; /* negotiate encrypt then mac? */ int cid_enabled; /* whether to use the CID extension or not */ + int cid_enabled_renego; /* whether to use the CID extension or not + * during renegotiation */ const char *cid_val; /* the CID to use for incoming messages */ + const char *cid_val_renego; /* the CID to use for incoming messages + * after renegotiation */ } opt; int query_config( const char *config ); @@ -590,6 +600,56 @@ int unhexify( char const *hex, unsigned char *dst ) return( 0 ); } +#if defined(MBEDTLS_SSL_CID) +int report_cid_usage( mbedtls_ssl_context *ssl, + const char *additional_description ) +{ + int ret; + unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; + size_t peer_cid_len; + int cid_negotiated; + + if( opt.transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + return( 0 ); + + /* Check if the use of a CID has been negotiated */ + ret = mbedtls_ssl_get_peer_cid( ssl, &cid_negotiated, + peer_cid, &peer_cid_len ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n", + -ret ); + return( ret ); + } + + if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED ) + { + if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED ) + { + mbedtls_printf( "(%s) Use of Connection ID was rejected by the server.\n", + additional_description ); + } + } + else + { + size_t idx=0; + mbedtls_printf( "(%s) Use of Connection ID has been negotiated.\n", + additional_description ); + mbedtls_printf( "(%s) Peer CID (length %u Bytes): ", + additional_description, + (unsigned) peer_cid_len ); + while( idx < peer_cid_len ) + { + mbedtls_printf( "%02x ", peer_cid[ idx ] ); + idx++; + } + mbedtls_printf( "\n" ); + } + + return( 0 ); +} +#endif /* MBEDTLS_SSL_CID */ + int main( int argc, char *argv[] ) { int ret = 0, len, tail_len, i, written, frags, retry_left; @@ -604,7 +664,9 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CID) unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; + unsigned char cid_renego[MBEDTLS_SSL_CID_IN_LEN_MAX]; size_t cid_len = 0; + size_t cid_renego_len = 0; #endif #if defined(MBEDTLS_SSL_ALPN) @@ -682,6 +744,8 @@ int main( int argc, char *argv[] ) opt.debug_level = DFL_DEBUG_LEVEL; opt.cid_enabled = DFL_CID_ENABLED; opt.cid_val = DFL_CID_VALUE; + opt.cid_enabled_renego = DFL_CID_ENABLED_RENEGO; + opt.cid_val_renego = DFL_CID_VALUE_RENEGO; opt.nbio = DFL_NBIO; opt.event = DFL_EVENT; opt.read_timeout = DFL_READ_TIMEOUT; @@ -798,10 +862,20 @@ int main( int argc, char *argv[] ) if( opt.cid_enabled != 0 && opt.cid_enabled != 1 ) goto usage; } + else if( strcmp( p, "cid_renego" ) == 0 ) + { + opt.cid_enabled_renego = atoi( q ); + if( opt.cid_enabled_renego != 0 && opt.cid_enabled_renego != 1 ) + goto usage; + } else if( strcmp( p, "cid_val" ) == 0 ) { opt.cid_val = q; } + else if( strcmp( p, "cid_val_renego" ) == 0 ) + { + opt.cid_val_renego = q; + } #endif /* MBEDTLS_SSL_CID */ else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; @@ -1145,21 +1219,38 @@ int main( int argc, char *argv[] ) } #if defined(MBEDTLS_SSL_CID) - if( strlen( opt.cid_val ) ) - { - cid_len = strlen( opt.cid_val ) / 2; - if( cid_len > sizeof( cid ) ) - { - mbedtls_printf( "CID too long\n" ); - goto exit; - } + cid_len = strlen( opt.cid_val ) / 2; + if( cid_len > sizeof( cid ) ) + { + mbedtls_printf( "CID too long\n" ); + goto exit; + } - if( unhexify( opt.cid_val, cid ) != 0 ) - { - mbedtls_printf( "CID not valid hex\n" ); - goto exit; - } - } + if( unhexify( opt.cid_val, cid ) != 0 ) + { + mbedtls_printf( "CID not valid hex\n" ); + goto exit; + } + + /* Keep CID settings for renegotiation unless + * specified otherwise. */ + if( opt.cid_enabled_renego == DFL_CID_ENABLED_RENEGO ) + opt.cid_enabled_renego = opt.cid_enabled; + if( opt.cid_val_renego == DFL_CID_VALUE_RENEGO ) + opt.cid_val_renego = opt.cid_val; + + cid_renego_len = strlen( opt.cid_val_renego ) / 2; + if( cid_renego_len > sizeof( cid_renego ) ) + { + mbedtls_printf( "CID too long\n" ); + goto exit; + } + + if( unhexify( opt.cid_val_renego, cid_renego ) != 0 ) + { + mbedtls_printf( "CID not valid hex\n" ); + goto exit; + } #endif /* MBEDTLS_SSL_CID */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -1447,9 +1538,22 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_CID) - if( opt.cid_enabled == 1 ) + if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 ) { - ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); + if( opt.cid_enabled == 1 && + opt.cid_enabled_renego == 1 && + cid_len != cid_renego_len ) + { + mbedtls_printf( "CID length must not change during renegotiation\n" ); + goto usage; + } + + + if( opt.cid_enabled == 1 ) + ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); + else + ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len ); + if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_cid_len returned %d\n\n", @@ -1769,41 +1873,19 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_CID) + ret = report_cid_usage( &ssl, "initial handshake" ); + if( ret != 0 ) + goto exit; + if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; - size_t peer_cid_len; - int cid_negotiated; - - /* Check if the use of a CID has been negotiated */ - ret = mbedtls_ssl_get_peer_cid( &ssl, &cid_negotiated, - peer_cid, &peer_cid_len ); - if( ret != 0 ) + if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled_renego, + cid_renego, + cid_renego_len ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n", - -ret ); - goto exit; - } - - if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED ) - { - if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED ) - { - mbedtls_printf( "Use of Connection ID was rejected by the server.\n" ); - } - } - else - { - size_t idx=0; - mbedtls_printf( "Use of Connection ID has been negotiated.\n" ); - mbedtls_printf( "Peer CID (length %u Bytes): ", - (unsigned) peer_cid_len ); - while( idx < peer_cid_len ) - { - mbedtls_printf( "%02x ", peer_cid[ idx ] ); - idx++; - } - mbedtls_printf( "\n" ); + mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n", + ret ); + return( ret ); } } #endif /* MBEDTLS_SSL_CID */ @@ -1848,6 +1930,12 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_RENEGOTIATION */ +#if defined(MBEDTLS_SSL_CID) + ret = report_cid_usage( &ssl, "after renegotiation" ); + if( ret != 0 ) + goto exit; +#endif /* MBEDTLS_SSL_CID */ + /* * 6. Write the GET request */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 910bd5298..6b5edb25c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -139,6 +139,8 @@ int main( void ) #define DFL_SHA1 -1 #define DFL_CID_ENABLED 0 #define DFL_CID_VALUE "" +#define DFL_CID_ENABLED_RENEGO -1 +#define DFL_CID_VALUE_RENEGO NULL #define DFL_AUTH_MODE -1 #define DFL_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED #define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE @@ -228,8 +230,12 @@ int main( void ) #define USAGE_CID \ " cid=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \ " default: 0 (disabled)\n" \ + " cid_renego=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension during renegotiation.\n" \ + " default: same as 'cid'\n" \ " cid_val=%%s The CID to use for incoming messages (in hex, without 0x).\n" \ - " default: \"\"\n" + " default: \"\"\n" \ + " cid_val_renego=%%s The CID to use for incoming messages (in hex, without 0x) after renegotiation.\n" \ + " default: same as 'cid_val'\n" #else /* MBEDTLS_SSL_CID */ #define USAGE_CID "" #endif /* MBEDTLS_SSL_CID */ @@ -523,7 +529,11 @@ struct options int dgram_packing; /* allow/forbid datagram packing */ int badmac_limit; /* Limit of records with bad MAC */ int cid_enabled; /* whether to use the CID extension or not */ + int cid_enabled_renego; /* whether to use the CID extension or not + * during renegotiation */ const char *cid_val; /* the CID to use for incoming messages */ + const char *cid_val_renego; /* the CID to use for incoming messages + * after renegotiation */ } opt; int query_config( const char *config ); @@ -1214,6 +1224,56 @@ int idle( mbedtls_net_context *fd, return( 0 ); } +#if defined(MBEDTLS_SSL_CID) +int report_cid_usage( mbedtls_ssl_context *ssl, + const char *additional_description ) +{ + int ret; + unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; + size_t peer_cid_len; + int cid_negotiated; + + if( opt.transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + return( 0 ); + + /* Check if the use of a CID has been negotiated */ + ret = mbedtls_ssl_get_peer_cid( ssl, &cid_negotiated, + peer_cid, &peer_cid_len ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n", + -ret ); + return( ret ); + } + + if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED ) + { + if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED ) + { + mbedtls_printf( "(%s) Use of Connection ID was not offered by client.\n", + additional_description ); + } + } + else + { + size_t idx=0; + mbedtls_printf( "(%s) Use of Connection ID has been negotiated.\n", + additional_description ); + mbedtls_printf( "(%s) Peer CID (length %u Bytes): ", + additional_description, + (unsigned) peer_cid_len ); + while( idx < peer_cid_len ) + { + mbedtls_printf( "%02x ", peer_cid[ idx ] ); + idx++; + } + mbedtls_printf( "\n" ); + } + + return( 0 ); +} +#endif /* MBEDTLS_SSL_CID */ + int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; @@ -1281,7 +1341,9 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CID) unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; + unsigned char cid_renego[MBEDTLS_SSL_CID_IN_LEN_MAX]; size_t cid_len = 0; + size_t cid_renego_len = 0; #endif int i; @@ -1362,7 +1424,9 @@ int main( int argc, char *argv[] ) opt.response_size = DFL_RESPONSE_SIZE; opt.nbio = DFL_NBIO; opt.cid_enabled = DFL_CID_ENABLED; + opt.cid_enabled_renego = DFL_CID_ENABLED_RENEGO; opt.cid_val = DFL_CID_VALUE; + opt.cid_val_renego = DFL_CID_VALUE_RENEGO; opt.read_timeout = DFL_READ_TIMEOUT; opt.ca_file = DFL_CA_FILE; opt.ca_path = DFL_CA_PATH; @@ -1508,10 +1572,20 @@ int main( int argc, char *argv[] ) if( opt.cid_enabled != 0 && opt.cid_enabled != 1 ) goto usage; } + else if( strcmp( p, "cid_renego" ) == 0 ) + { + opt.cid_enabled_renego = atoi( q ); + if( opt.cid_enabled_renego != 0 && opt.cid_enabled_renego != 1 ) + goto usage; + } else if( strcmp( p, "cid_val" ) == 0 ) { opt.cid_val = q; } + else if( strcmp( p, "cid_val_renego" ) == 0 ) + { + opt.cid_val_renego = q; + } #endif /* MBEDTLS_SSL_CID */ else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; @@ -1920,22 +1994,26 @@ int main( int argc, char *argv[] ) } } -#if defined(MBEDTLS_SSL_CID) - if( strlen( opt.cid_val ) ) - { - cid_len = strlen( opt.cid_val ) / 2; - if( cid_len > sizeof( cid ) ) - { - mbedtls_printf( "CID too long\n" ); - goto exit; - } - if( unhexify( cid, opt.cid_val, &cid_len ) != 0 ) - { - mbedtls_printf( "CID not valid hex\n" ); - goto exit; - } - } +#if defined(MBEDTLS_SSL_CID) + if( unhexify( cid, opt.cid_val, &cid_len ) != 0 ) + { + mbedtls_printf( "CID not valid hex\n" ); + goto exit; + } + + /* Keep CID settings for renegotiation unless + * specified otherwise. */ + if( opt.cid_enabled_renego == DFL_CID_ENABLED_RENEGO ) + opt.cid_enabled_renego = opt.cid_enabled; + if( opt.cid_val_renego == DFL_CID_VALUE_RENEGO ) + opt.cid_val_renego = opt.cid_val; + + if( unhexify( cid_renego, opt.cid_val_renego, &cid_renego_len ) != 0 ) + { + mbedtls_printf( "CID not valid hex\n" ); + goto exit; + } #endif /* MBEDTLS_SSL_CID */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -2310,9 +2388,21 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_SSL_CID) - if( opt.cid_enabled == 1 ) + if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 ) { - ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); + if( opt.cid_enabled == 1 && + opt.cid_enabled_renego == 1 && + cid_len != cid_renego_len ) + { + mbedtls_printf( "CID length must not change during renegotiation\n" ); + goto usage; + } + + if( opt.cid_enabled == 1 ) + ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); + else + ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len ); + if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_cid_len returned %d\n\n", @@ -2869,42 +2959,19 @@ handshake: #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_CID) + ret = report_cid_usage( &ssl, "initial handshake" ); + if( ret != 0 ) + goto exit; + if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; - size_t peer_cid_len; - int cid_negotiated; - - /* Check if the use of a CID has been negotiated */ - ret = mbedtls_ssl_get_peer_cid( &ssl, &cid_negotiated, - peer_cid, &peer_cid_len ); - if( ret != 0 ) + if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled_renego, + cid_renego, cid_renego_len ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n", - -ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n", + ret ); goto exit; } - - if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED ) - { - if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED ) - { - mbedtls_printf( "Use of Connection ID was not offered by the client.\n" ); - } - } - else - { - size_t idx=0; - mbedtls_printf( "Use of Connection ID has been negotiated.\n" ); - mbedtls_printf( "Peer CID (length %u Bytes): ", - (unsigned) peer_cid_len ); - while( idx < peer_cid_len ) - { - mbedtls_printf( "%02x ", peer_cid[ idx ] ); - idx++; - } - mbedtls_printf( "\n" ); - } } #endif /* MBEDTLS_SSL_CID */ @@ -3118,6 +3185,10 @@ data_exchange: } #endif /* MBEDTLS_SSL_RENEGOTIATION */ + ret = report_cid_usage( &ssl, "after renegotiation" ); + if( ret != 0 ) + goto exit; + /* * 7. Write the 200 Response */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 020abd2a3..ebee0fd38 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1385,24 +1385,93 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empt requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \ +run_test "(STUB) Connection ID: Client+Server enabled, renegotiate without change of CID" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \ 0 \ - -c "Enable use of CID extension." \ - -s "Enable use of CID extension." \ - -c "client hello, adding CID extension" \ - -s "found CID extension" \ - -s "Use of CID extension negotiated" \ - -s "server hello, adding CID extension" \ - -c "found CID extension" \ - -c "Use of CID extension negotiated" \ - -s "Copy CIDs into SSL transform" \ - -c "Copy CIDs into SSL transform" \ - -c "Peer CID (length 2 Bytes): de ad" \ - -s "Peer CID (length 2 Bytes): be ef" \ - -s "Use of Connection ID has been negotiated" \ - -c "Use of Connection ID has been negotiated" + -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \ + -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \ + -s "(initial handshake) Use of Connection ID has been negotiated" \ + -c "(initial handshake) Use of Connection ID has been negotiated" \ + -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \ + -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \ + -s "(after renegotiation) Use of Connection ID has been negotiated" \ + -c "(after renegotiation) Use of Connection ID has been negotiated" + +requires_config_enabled MBEDTLS_SSL_CID +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "(STUB) Connection ID: Client+Server enabled, renegotiate with different CID" \ + "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \ + "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \ + 0 \ + -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \ + -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \ + -s "(initial handshake) Use of Connection ID has been negotiated" \ + -c "(initial handshake) Use of Connection ID has been negotiated" \ + -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \ + -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \ + -s "(after renegotiation) Use of Connection ID has been negotiated" \ + -c "(after renegotiation) Use of Connection ID has been negotiated" + +requires_config_enabled MBEDTLS_SSL_CID +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "(STUB) Connection ID: Client+Server enabled, renegotiate without CID" \ + "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \ + "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \ + 0 \ + -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \ + -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \ + -s "(initial handshake) Use of Connection ID has been negotiated" \ + -c "(initial handshake) Use of Connection ID has been negotiated" \ + -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \ + -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \ + -C "(after renegotiation) Use of Connection ID has been negotiated" \ + -S "(after renegotiation) Use of Connection ID has been negotiated" + +requires_config_enabled MBEDTLS_SSL_CID +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "(STUB) Connection ID: Client+Server enabled, CID on renegotiation" \ + "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \ + "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \ + 0 \ + -S "(initial handshake) Use of Connection ID has been negotiated" \ + -C "(initial handshake) Use of Connection ID has been negotiated" \ + -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \ + -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \ + -c "(after renegotiation) Use of Connection ID has been negotiated" \ + -s "(after renegotiation) Use of Connection ID has been negotiated" + +requires_config_enabled MBEDTLS_SSL_CID +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "(STUB) Connection ID: Client+Server enabled, client disables on renegotiation" \ + "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \ + "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \ + 0 \ + -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \ + -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \ + -s "(initial handshake) Use of Connection ID has been negotiated" \ + -c "(initial handshake) Use of Connection ID has been negotiated" \ + -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \ + -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \ + -C "(after renegotiation) Use of Connection ID has been negotiated" \ + -S "(after renegotiation) Use of Connection ID has been negotiated" \ + -s "(after renegotiation) Use of Connection ID was not offered by client" + +requires_config_enabled MBEDTLS_SSL_CID +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "(STUB) Connection ID: Client+Server enabled, server disables on renegotiation" \ + "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \ + "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \ + 0 \ + -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \ + -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \ + -s "(initial handshake) Use of Connection ID has been negotiated" \ + -c "(initial handshake) Use of Connection ID has been negotiated" \ + -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \ + -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \ + -C "(after renegotiation) Use of Connection ID has been negotiated" \ + -S "(after renegotiation) Use of Connection ID has been negotiated" \ + -c "(after renegotiation) Use of Connection ID was rejected by the server" # Tests for Encrypt-then-MAC extension