cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add support for change of CID to ssl_client2 / ssl_server2

Browse Source 
And add tests for various CID configuration changes during
renegotiation to ssl-opt.sh.
This commit is contained in:
Hanno Becker 2019-05-03 17:30:59 +01:00
parent 2749a67d1f
commit b42ec0df02
3 changed files with 341 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

160
programs/ssl/ssl_client2.c
View File

@ -115,6 +115,8 @@ int main( void )
#define DFL_RECO_DELAY 0 #define DFL_RECO_DELAY 0
#define DFL_CID_ENABLED 0 #define DFL_CID_ENABLED 0
#define DFL_CID_VALUE "" #define DFL_CID_VALUE ""
#define DFL_CID_ENABLED_RENEGO -1
#define DFL_CID_VALUE_RENEGO NULL
#define DFL_RECONNECT_HARD 0 #define DFL_RECONNECT_HARD 0
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED #define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
#define DFL_ALPN_STRING NULL #define DFL_ALPN_STRING NULL
@ -172,8 +174,12 @@ int main( void )
#define USAGE_CID \ #define USAGE_CID \
" cid=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \ " cid=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \
" default: 0 (disabled)\n" \ " default: 0 (disabled)\n" \
" cid_renego=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension during renegotiation.\n" \
" default: same as 'cid'\n" \
" cid_val=%%s The CID to use for incoming messages (in hex, without 0x).\n" \ " cid_val=%%s The CID to use for incoming messages (in hex, without 0x).\n" \
" default: \"\"\n" " default: \"\"\n" \
" cid_val_renego=%%s The CID to use for incoming messages (in hex, without 0x) after renegotiation.\n" \
" default: same as cid_val\n"
#else /* MBEDTLS_SSL_CID */ #else /* MBEDTLS_SSL_CID */
#define USAGE_CID "" #define USAGE_CID ""
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -471,7 +477,11 @@ struct options
int context_crt_cb; /* use context-specific CRT verify callback */ int context_crt_cb; /* use context-specific CRT verify callback */
int eap_tls; /* derive EAP-TLS keying material? */ int eap_tls; /* derive EAP-TLS keying material? */
int cid_enabled; /* whether to use the CID extension or not */ int cid_enabled; /* whether to use the CID extension or not */
int cid_enabled_renego; /* whether to use the CID extension or not
* during renegotiation */
const char *cid_val; /* the CID to use for incoming messages */ const char *cid_val; /* the CID to use for incoming messages */
const char *cid_val_renego; /* the CID to use for incoming messages
* after renegotiation */
} opt; } opt;
int query_config( const char *config ); int query_config( const char *config );
@ -762,6 +772,56 @@ int unhexify( char const *hex, unsigned char *dst )
return( 0 ); return( 0 );
} }
#if defined(MBEDTLS_SSL_CID)
int report_cid_usage( mbedtls_ssl_context *ssl,
const char *additional_description )
{
int ret;
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
size_t peer_cid_len;
int cid_negotiated;
if( opt.transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
return( 0 );
/* Check if the use of a CID has been negotiated */
ret = mbedtls_ssl_get_peer_cid( ssl, &cid_negotiated,
peer_cid, &peer_cid_len );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n",
-ret );
return( ret );
}
if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED )
{
if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED )
{
mbedtls_printf( "(%s) Use of Connection ID was rejected by the server.\n",
additional_description );
}
}
else
{
size_t idx=0;
mbedtls_printf( "(%s) Use of Connection ID has been negotiated.\n",
additional_description );
mbedtls_printf( "(%s) Peer CID (length %u Bytes): ",
additional_description,
(unsigned) peer_cid_len );
while( idx < peer_cid_len )
{
mbedtls_printf( "%02x ", peer_cid[ idx ] );
idx++;
}
mbedtls_printf( "\n" );
}
return( 0 );
}
#endif /* MBEDTLS_SSL_CID */
int main( int argc, char *argv[] ) int main( int argc, char *argv[] )
{ {
int ret = 0, len, tail_len, i, written, frags, retry_left; int ret = 0, len, tail_len, i, written, frags, retry_left;
@ -776,7 +836,9 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
unsigned char cid_renego[MBEDTLS_SSL_CID_IN_LEN_MAX];
size_t cid_len = 0; size_t cid_len = 0;
size_t cid_renego_len = 0;
#endif #endif
#if defined(MBEDTLS_SSL_ALPN) #if defined(MBEDTLS_SSL_ALPN)
@ -881,6 +943,8 @@ int main( int argc, char *argv[] )
opt.debug_level = DFL_DEBUG_LEVEL; opt.debug_level = DFL_DEBUG_LEVEL;
opt.cid_enabled = DFL_CID_ENABLED; opt.cid_enabled = DFL_CID_ENABLED;
opt.cid_val = DFL_CID_VALUE; opt.cid_val = DFL_CID_VALUE;
opt.cid_enabled_renego = DFL_CID_ENABLED_RENEGO;
opt.cid_val_renego = DFL_CID_VALUE_RENEGO;
opt.nbio = DFL_NBIO; opt.nbio = DFL_NBIO;
opt.event = DFL_EVENT; opt.event = DFL_EVENT;
opt.context_crt_cb = DFL_CONTEXT_CRT_CB; opt.context_crt_cb = DFL_CONTEXT_CRT_CB;
@ -1016,10 +1080,20 @@ int main( int argc, char *argv[] )
if( opt.cid_enabled != 0 && opt.cid_enabled != 1 ) if( opt.cid_enabled != 0 && opt.cid_enabled != 1 )
goto usage; goto usage;
} }
else if( strcmp( p, "cid_renego" ) == 0 )
{
opt.cid_enabled_renego = atoi( q );
if( opt.cid_enabled_renego != 0 && opt.cid_enabled_renego != 1 )
goto usage;
}
else if( strcmp( p, "cid_val" ) == 0 ) else if( strcmp( p, "cid_val" ) == 0 )
{ {
opt.cid_val = q; opt.cid_val = q;
} }
else if( strcmp( p, "cid_val_renego" ) == 0 )
{
opt.cid_val_renego = q;
}
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
else if( strcmp( p, "psk" ) == 0 ) else if( strcmp( p, "psk" ) == 0 )
opt.psk = q; opt.psk = q;
@ -1443,8 +1517,6 @@ int main( int argc, char *argv[] )
} }
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
if( strlen( opt.cid_val ) )
{
cid_len = strlen( opt.cid_val ) / 2; cid_len = strlen( opt.cid_val ) / 2;
if( cid_len > sizeof( cid ) ) if( cid_len > sizeof( cid ) )
{ {
@ -1457,6 +1529,25 @@ int main( int argc, char *argv[] )
mbedtls_printf( "CID not valid hex\n" ); mbedtls_printf( "CID not valid hex\n" );
goto exit; goto exit;
} }
/* Keep CID settings for renegotiation unless
* specified otherwise. */
if( opt.cid_enabled_renego == DFL_CID_ENABLED_RENEGO )
opt.cid_enabled_renego = opt.cid_enabled;
if( opt.cid_val_renego == DFL_CID_VALUE_RENEGO )
opt.cid_val_renego = opt.cid_val;
cid_renego_len = strlen( opt.cid_val_renego ) / 2;
if( cid_renego_len > sizeof( cid_renego ) )
{
mbedtls_printf( "CID too long\n" );
goto exit;
}
if( unhexify( opt.cid_val_renego, cid_renego ) != 0 )
{
mbedtls_printf( "CID not valid hex\n" );
goto exit;
} }
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -1739,9 +1830,22 @@ int main( int argc, char *argv[] )
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
if( opt.cid_enabled == 1 ) if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{ {
if( opt.cid_enabled == 1 &&
opt.cid_enabled_renego == 1 &&
cid_len != cid_renego_len )
{
mbedtls_printf( "CID length must not change during renegotiation\n" );
goto usage;
}
if( opt.cid_enabled == 1 )
ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
else
ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len );
if( ret != 0 ) if( ret != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_cid_len returned %d\n\n", mbedtls_printf( " failed\n ! mbedtls_ssl_conf_cid_len returned %d\n\n",
@ -2162,41 +2266,19 @@ int main( int argc, char *argv[] )
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
ret = report_cid_usage( &ssl, "initial handshake" );
if( ret != 0 )
goto exit;
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{ {
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled_renego,
size_t peer_cid_len; cid_renego,
int cid_negotiated; cid_renego_len ) ) != 0 )
/* Check if the use of a CID has been negotiated */
ret = mbedtls_ssl_get_peer_cid( &ssl, &cid_negotiated,
peer_cid, &peer_cid_len );
if( ret != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n", mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n",
-ret ); ret );
goto exit; return( ret );
}
if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED )
{
if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED )
{
mbedtls_printf( "Use of Connection ID was rejected by the server.\n" );
}
}
else
{
size_t idx=0;
mbedtls_printf( "Use of Connection ID has been negotiated.\n" );
mbedtls_printf( "Peer CID (length %u Bytes): ",
(unsigned) peer_cid_len );
while( idx < peer_cid_len )
{
mbedtls_printf( "%02x ", peer_cid[ idx ] );
idx++;
}
mbedtls_printf( "\n" );
} }
} }
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -2241,6 +2323,12 @@ int main( int argc, char *argv[] )
} }
#endif /* MBEDTLS_SSL_RENEGOTIATION */ #endif /* MBEDTLS_SSL_RENEGOTIATION */
#if defined(MBEDTLS_SSL_CID)
ret = report_cid_usage( &ssl, "after renegotiation" );
if( ret != 0 )
goto exit;
#endif /* MBEDTLS_SSL_CID */
/* /*
* 6. Write the GET request * 6. Write the GET request
*/ */

155
programs/ssl/ssl_server2.c
View File

@ -147,6 +147,8 @@ int main( void )
#define DFL_SHA1 -1 #define DFL_SHA1 -1
#define DFL_CID_ENABLED 0 #define DFL_CID_ENABLED 0
#define DFL_CID_VALUE "" #define DFL_CID_VALUE ""
#define DFL_CID_ENABLED_RENEGO -1
#define DFL_CID_VALUE_RENEGO NULL
#define DFL_AUTH_MODE -1 #define DFL_AUTH_MODE -1
#define DFL_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED #define DFL_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE #define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
@ -238,8 +240,12 @@ int main( void )
#define USAGE_CID \ #define USAGE_CID \
" cid=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \ " cid=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \
" default: 0 (disabled)\n" \ " default: 0 (disabled)\n" \
" cid_renego=%%d Disable (0) or enable (1) the use of the DTLS Connection ID extension during renegotiation.\n" \
" default: same as 'cid'\n" \
" cid_val=%%s The CID to use for incoming messages (in hex, without 0x).\n" \ " cid_val=%%s The CID to use for incoming messages (in hex, without 0x).\n" \
" default: \"\"\n" " default: \"\"\n" \
" cid_val_renego=%%s The CID to use for incoming messages (in hex, without 0x) after renegotiation.\n" \
" default: same as 'cid_val'\n"
#else /* MBEDTLS_SSL_CID */ #else /* MBEDTLS_SSL_CID */
#define USAGE_CID "" #define USAGE_CID ""
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -586,7 +592,11 @@ struct options
int badmac_limit; /* Limit of records with bad MAC */ int badmac_limit; /* Limit of records with bad MAC */
int eap_tls; /* derive EAP-TLS keying material? */ int eap_tls; /* derive EAP-TLS keying material? */
int cid_enabled; /* whether to use the CID extension or not */ int cid_enabled; /* whether to use the CID extension or not */
int cid_enabled_renego; /* whether to use the CID extension or not
* during renegotiation */
const char *cid_val; /* the CID to use for incoming messages */ const char *cid_val; /* the CID to use for incoming messages */
const char *cid_val_renego; /* the CID to use for incoming messages
* after renegotiation */
} opt; } opt;
int query_config( const char *config ); int query_config( const char *config );
@ -1434,6 +1444,56 @@ static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot,
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_CID)
int report_cid_usage( mbedtls_ssl_context *ssl,
const char *additional_description )
{
int ret;
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
size_t peer_cid_len;
int cid_negotiated;
if( opt.transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
return( 0 );
/* Check if the use of a CID has been negotiated */
ret = mbedtls_ssl_get_peer_cid( ssl, &cid_negotiated,
peer_cid, &peer_cid_len );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n",
-ret );
return( ret );
}
if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED )
{
if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED )
{
mbedtls_printf( "(%s) Use of Connection ID was not offered by client.\n",
additional_description );
}
}
else
{
size_t idx=0;
mbedtls_printf( "(%s) Use of Connection ID has been negotiated.\n",
additional_description );
mbedtls_printf( "(%s) Peer CID (length %u Bytes): ",
additional_description,
(unsigned) peer_cid_len );
while( idx < peer_cid_len )
{
mbedtls_printf( "%02x ", peer_cid[ idx ] );
idx++;
}
mbedtls_printf( "\n" );
}
return( 0 );
}
#endif /* MBEDTLS_SSL_CID */
int main( int argc, char *argv[] ) int main( int argc, char *argv[] )
{ {
int ret = 0, len, written, frags, exchanges_left; int ret = 0, len, written, frags, exchanges_left;
@ -1505,7 +1565,9 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
unsigned char cid_renego[MBEDTLS_SSL_CID_IN_LEN_MAX];
size_t cid_len = 0; size_t cid_len = 0;
size_t cid_renego_len = 0;
#endif #endif
int i; int i;
@ -1606,7 +1668,9 @@ int main( int argc, char *argv[] )
opt.response_size = DFL_RESPONSE_SIZE; opt.response_size = DFL_RESPONSE_SIZE;
opt.nbio = DFL_NBIO; opt.nbio = DFL_NBIO;
opt.cid_enabled = DFL_CID_ENABLED; opt.cid_enabled = DFL_CID_ENABLED;
opt.cid_enabled_renego = DFL_CID_ENABLED_RENEGO;
opt.cid_val = DFL_CID_VALUE; opt.cid_val = DFL_CID_VALUE;
opt.cid_val_renego = DFL_CID_VALUE_RENEGO;
opt.read_timeout = DFL_READ_TIMEOUT; opt.read_timeout = DFL_READ_TIMEOUT;
opt.ca_file = DFL_CA_FILE; opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH; opt.ca_path = DFL_CA_PATH;
@ -1760,10 +1824,20 @@ int main( int argc, char *argv[] )
if( opt.cid_enabled != 0 && opt.cid_enabled != 1 ) if( opt.cid_enabled != 0 && opt.cid_enabled != 1 )
goto usage; goto usage;
} }
else if( strcmp( p, "cid_renego" ) == 0 )
{
opt.cid_enabled_renego = atoi( q );
if( opt.cid_enabled_renego != 0 && opt.cid_enabled_renego != 1 )
goto usage;
}
else if( strcmp( p, "cid_val" ) == 0 ) else if( strcmp( p, "cid_val" ) == 0 )
{ {
opt.cid_val = q; opt.cid_val = q;
} }
else if( strcmp( p, "cid_val_renego" ) == 0 )
{
opt.cid_val_renego = q;
}
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
else if( strcmp( p, "psk" ) == 0 ) else if( strcmp( p, "psk" ) == 0 )
opt.psk = q; opt.psk = q;
@ -2248,21 +2322,25 @@ int main( int argc, char *argv[] )
} }
} }
#if defined(MBEDTLS_SSL_CID)
if( strlen( opt.cid_val ) )
{
cid_len = strlen( opt.cid_val ) / 2;
if( cid_len > sizeof( cid ) )
{
mbedtls_printf( "CID too long\n" );
goto exit;
}
#if defined(MBEDTLS_SSL_CID)
if( unhexify( cid, opt.cid_val, &cid_len ) != 0 ) if( unhexify( cid, opt.cid_val, &cid_len ) != 0 )
{ {
mbedtls_printf( "CID not valid hex\n" ); mbedtls_printf( "CID not valid hex\n" );
goto exit; goto exit;
} }
/* Keep CID settings for renegotiation unless
* specified otherwise. */
if( opt.cid_enabled_renego == DFL_CID_ENABLED_RENEGO )
opt.cid_enabled_renego = opt.cid_enabled;
if( opt.cid_val_renego == DFL_CID_VALUE_RENEGO )
opt.cid_val_renego = opt.cid_val;
if( unhexify( cid_renego, opt.cid_val_renego, &cid_renego_len ) != 0 )
{
mbedtls_printf( "CID not valid hex\n" );
goto exit;
} }
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -2638,9 +2716,21 @@ int main( int argc, char *argv[] )
#endif #endif
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
if( opt.cid_enabled == 1 ) if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{ {
if( opt.cid_enabled == 1 &&
opt.cid_enabled_renego == 1 &&
cid_len != cid_renego_len )
{
mbedtls_printf( "CID length must not change during renegotiation\n" );
goto usage;
}
if( opt.cid_enabled == 1 )
ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
else
ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len );
if( ret != 0 ) if( ret != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_cid_len returned %d\n\n", mbedtls_printf( " failed\n ! mbedtls_ssl_conf_cid_len returned %d\n\n",
@ -3317,42 +3407,19 @@ handshake:
#endif #endif
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
ret = report_cid_usage( &ssl, "initial handshake" );
if( ret != 0 )
goto exit;
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{ {
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled_renego,
size_t peer_cid_len; cid_renego, cid_renego_len ) ) != 0 )
int cid_negotiated;
/* Check if the use of a CID has been negotiated */
ret = mbedtls_ssl_get_peer_cid( &ssl, &cid_negotiated,
peer_cid, &peer_cid_len );
if( ret != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n", mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n",
-ret ); ret );
goto exit; goto exit;
} }
if( cid_negotiated == MBEDTLS_SSL_CID_DISABLED )
{
if( opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED )
{
mbedtls_printf( "Use of Connection ID was not offered by the client.\n" );
}
}
else
{
size_t idx=0;
mbedtls_printf( "Use of Connection ID has been negotiated.\n" );
mbedtls_printf( "Peer CID (length %u Bytes): ",
(unsigned) peer_cid_len );
while( idx < peer_cid_len )
{
mbedtls_printf( "%02x ", peer_cid[ idx ] );
idx++;
}
mbedtls_printf( "\n" );
}
} }
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -3566,6 +3633,10 @@ data_exchange:
} }
#endif /* MBEDTLS_SSL_RENEGOTIATION */ #endif /* MBEDTLS_SSL_RENEGOTIATION */
ret = report_cid_usage( &ssl, "after renegotiation" );
if( ret != 0 )
goto exit;
/* /*
* 7. Write the 200 Response * 7. Write the 200 Response
*/ */

99
tests/ssl-opt.sh
View File

@ -1543,24 +1543,93 @@ run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empt
requires_config_enabled MBEDTLS_SSL_CID requires_config_enabled MBEDTLS_SSL_CID
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \ run_test "(STUB) Connection ID: Client+Server enabled, renegotiate without change of CID" \
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
0 \ 0 \
-c "Enable use of CID extension." \ -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
-s "Enable use of CID extension." \ -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
-c "client hello, adding CID extension" \ -s "(initial handshake) Use of Connection ID has been negotiated" \
-s "found CID extension" \ -c "(initial handshake) Use of Connection ID has been negotiated" \
-s "Use of CID extension negotiated" \ -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
-s "server hello, adding CID extension" \ -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
-c "found CID extension" \ -s "(after renegotiation) Use of Connection ID has been negotiated" \
-c "Use of CID extension negotiated" \ -c "(after renegotiation) Use of Connection ID has been negotiated"
-s "Copy CIDs into SSL transform" \
-c "Copy CIDs into SSL transform" \ requires_config_enabled MBEDTLS_SSL_CID
-c "Peer CID (length 2 Bytes): de ad" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
-s "Peer CID (length 2 Bytes): be ef" \ run_test "(STUB) Connection ID: Client+Server enabled, renegotiate with different CID" \
-s "Use of Connection ID has been negotiated" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
-c "Use of Connection ID has been negotiated" "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
0 \
-c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
-s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
-s "(initial handshake) Use of Connection ID has been negotiated" \
-c "(initial handshake) Use of Connection ID has been negotiated" \
-c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
-s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
-s "(after renegotiation) Use of Connection ID has been negotiated" \
-c "(after renegotiation) Use of Connection ID has been negotiated"
requires_config_enabled MBEDTLS_SSL_CID
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "(STUB) Connection ID: Client+Server enabled, renegotiate without CID" \
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
0 \
-c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
-s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
-s "(initial handshake) Use of Connection ID has been negotiated" \
-c "(initial handshake) Use of Connection ID has been negotiated" \
-C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
-S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
-C "(after renegotiation) Use of Connection ID has been negotiated" \
-S "(after renegotiation) Use of Connection ID has been negotiated"
requires_config_enabled MBEDTLS_SSL_CID
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "(STUB) Connection ID: Client+Server enabled, CID on renegotiation" \
"$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
"$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
0 \
-S "(initial handshake) Use of Connection ID has been negotiated" \
-C "(initial handshake) Use of Connection ID has been negotiated" \
-c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
-s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
-c "(after renegotiation) Use of Connection ID has been negotiated" \
-s "(after renegotiation) Use of Connection ID has been negotiated"
requires_config_enabled MBEDTLS_SSL_CID
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "(STUB) Connection ID: Client+Server enabled, client disables on renegotiation" \
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
0 \
-c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
-s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
-s "(initial handshake) Use of Connection ID has been negotiated" \
-c "(initial handshake) Use of Connection ID has been negotiated" \
-C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
-S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
-C "(after renegotiation) Use of Connection ID has been negotiated" \
-S "(after renegotiation) Use of Connection ID has been negotiated" \
-s "(after renegotiation) Use of Connection ID was not offered by client"
requires_config_enabled MBEDTLS_SSL_CID
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "(STUB) Connection ID: Client+Server enabled, server disables on renegotiation" \
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
0 \
-c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
-s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
-s "(initial handshake) Use of Connection ID has been negotiated" \
-c "(initial handshake) Use of Connection ID has been negotiated" \
-C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
-S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
-C "(after renegotiation) Use of Connection ID has been negotiated" \
-S "(after renegotiation) Use of Connection ID has been negotiated" \
-c "(after renegotiation) Use of Connection ID was rejected by the server"
# Tests for Encrypt-then-MAC extension # Tests for Encrypt-then-MAC extension