Allow configuration of ConnectionID at compile-time

Introduces
- MBEDTLS_SSL_CONF_CID_LEN and
- MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID
to control
- the length of incoming CIDs
- the behaviour in receipt of unexpected CIDs
at compile-time.

Impact on code-size:

|  | GCC 82.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23223 | 23865 | 26775 |
| `libmbedtls.a` after  | 23147 | 23781 | 26703 |
| gain in Bytes | 76 | 84 | 72 |
This commit is contained in:
Hanno Becker 2019-06-13 09:23:43 +01:00
parent b0b2b67568
commit e0200dad63
9 changed files with 109 additions and 12 deletions

View File

@ -80,6 +80,8 @@
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
/* Compile-time fixed parts of the SSL configuration */
#define MBEDTLS_SSL_CONF_CID_LEN 0
#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION \
MBEDTLS_SSL_SECURE_RENEGOTIATION
#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED

View File

@ -631,6 +631,13 @@
#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
#endif
#if ( defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) ) || \
( !defined(MBEDTLS_SSL_CONF_CID_LEN) && \
defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) )
#error "MBEDTLS_SSL_CONF_CID_LEN and MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID must be defined simultaneously"
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites"

View File

@ -3457,6 +3457,8 @@
/* DTLS-specific settings */
//#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
//#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
//#define MBEDTLS_SSL_CONF_CID_LEN 0
//#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
/* ExtendedMasterSecret extension
* The following two options must be set/unset simultaneously. */

View File

@ -957,7 +957,9 @@ struct mbedtls_ssl_config
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
size_t cid_len; /*!< The length of CIDs for incoming DTLS records. */
#endif /* !MBEDTLS_SSL_CONF_CID_LEN */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@ -1100,9 +1102,11 @@ struct mbedtls_ssl_config
Certificate Request messages? */
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
* record with unexpected CID
* should lead to failure. */
#endif /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
};
@ -2312,9 +2316,11 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
const int *ciphersuites );
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
/**
* \brief Specify the length of Connection IDs for incoming
* encrypted DTLS records, as well as the behaviour
@ -2343,13 +2349,19 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
* same SSL configuration; this allows simpler parsing of
* record headers.
*
* \note On constrained systems, this configuration can also be
* fixed at compile-time via MBEDTLS_SSL_CONF_CID_LEN and
* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
* is too large.
*/
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
int ignore_other_cids );
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
/**
* \brief Set the list of allowed ciphersuites and the

View File

@ -1085,6 +1085,38 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
*/
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
static inline size_t mbedtls_ssl_conf_get_cid_len(
mbedtls_ssl_config const *conf )
{
return( conf->cid_len );
}
#else /* !MBEDTLS_SSL_CONF_CID_LEN */
static inline size_t mbedtls_ssl_conf_get_cid_len(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_CID_LEN );
}
#endif /* MBEDTLS_SSL_CONF_CID_LEN */
#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
mbedtls_ssl_config const *conf )
{
return( conf->ignore_unexpected_cid );
}
#else /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
}
#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
mbedtls_ssl_config const *conf )

View File

@ -117,6 +117,9 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
/* Top-level Connection ID API */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
size_t len,
int ignore_other_cid )
@ -134,6 +137,21 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
conf->cid_len = len;
return( 0 );
}
#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#if MBEDTLS_SSL_CONF_CID_LEN > MBEDTLS_SSL_CID_IN_LEN_MAX
#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_CID_LEN"
#endif
#if MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE && \
MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_FAIL
#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID"
#endif
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
int enable,
@ -152,11 +170,11 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
if( own_cid_len != ssl->conf->cid_len )
if( own_cid_len != mbedtls_ssl_conf_get_cid_len( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
(unsigned) own_cid_len,
(unsigned) ssl->conf->cid_len ) );
(unsigned) mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@ -4617,7 +4635,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_CID &&
ssl->conf->cid_len != 0 )
mbedtls_ssl_conf_get_cid_len( ssl->conf ) != 0 )
{
/* Shift pointers to account for record header including CID
* struct {
@ -4634,7 +4652,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
/* So far, we only support static CID lengths
* fixed in the configuration. */
ssl->in_len = ssl->in_cid + ssl->conf->cid_len;
ssl->in_len = ssl->in_cid + mbedtls_ssl_conf_get_cid_len( ssl->conf );
ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
}
else
@ -4863,7 +4881,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
ssl->conf->ignore_unexpected_cid
mbedtls_ssl_conf_get_ignore_unexpected_cid( ssl->conf )
== MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );

View File

@ -2610,6 +2610,22 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_CONF_CID_LEN)
if( strcmp( "MBEDTLS_SSL_CONF_CID_LEN", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CID_LEN );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_CID_LEN */
#if defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
if( strcmp( "MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
{

View File

@ -1672,7 +1672,9 @@ int main( int argc, char *argv[] )
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{
if( opt.cid_enabled == 1 &&
@ -1697,7 +1699,9 @@ int main( int argc, char *argv[] )
goto exit;
}
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );

View File

@ -2489,7 +2489,9 @@ int main( int argc, char *argv[] )
};
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{
if( opt.cid_enabled == 1 &&
@ -2514,7 +2516,9 @@ int main( int argc, char *argv[] )
goto exit;
}
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != DFL_TRUNC_HMAC )