From fd6cca44489255bcba6849663ede0dd212b6f8cb Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Tue, 12 Oct 2021 09:22:33 +0200 Subject: [PATCH 01/12] CID update to RFC 9146 The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content. Signed-off-by: Hannes Tschofenig --- include/mbedtls/check_config.h | 6 + include/mbedtls/mbedtls_config.h | 37 +++-- include/mbedtls/ssl.h | 24 ++-- library/ssl_msg.c | 232 +++++++++++++++++++++++++++---- library/ssl_tls12_client.c | 3 - library/ssl_tls12_server.c | 6 - tests/scripts/all.sh | 19 +++ tests/ssl-opt.sh | 50 +++++++ 8 files changed, 308 insertions(+), 69 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index e00ffb5a96..3f4647a093 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -839,6 +839,12 @@ #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)" #endif +#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) +#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequsites" +#endif + + #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequisites" diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 990dc58512..4b5a3131ec 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1320,9 +1320,7 @@ /** * \def MBEDTLS_SSL_DTLS_CONNECTION_ID * - * Enable support for the DTLS Connection ID extension - * (version draft-ietf-tls-dtls-connection-id-05, - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) + * Enable support for the DTLS Connection ID extension, * which allows to identify DTLS connections across changes * in the underlying transport. * @@ -1331,10 +1329,6 @@ * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for * more information. * - * \warning The Connection ID extension is still in draft state. - * We make no stability promises for the availability - * or the shape of the API controlled by this option. - * * The maximum lengths of outgoing and incoming CIDs can be configured * through the options * - MBEDTLS_SSL_CID_OUT_LEN_MAX @@ -1344,7 +1338,23 @@ * * Uncomment to enable the Connection ID extension. */ -//#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_CONNECTION_ID + + +/** + * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + * + * Defines whether RFC 9146 (default) or the legacy version + * (version draft-ietf-tls-dtls-connection-id-05, + * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) + * is used. + * + * Set the value to 0 for the standard version, and + * 1 for the legacy draft version. + * + * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID + */ +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 /** * \def MBEDTLS_SSL_ASYNC_PRIVATE @@ -3539,17 +3549,6 @@ //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ -/** \def MBEDTLS_TLS_EXT_CID - * - * At the time of writing, the CID extension has not been assigned its - * final value. Set this configuration option to make Mbed TLS use a - * different value. - * - * A future minor revision of Mbed TLS may change the default value of - * this option to match evolving standards and usage. - */ -//#define MBEDTLS_TLS_EXT_CID 254 - /** * Complete list of ciphersuites to use, in order of preference. * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3d820a5259..67d6118045 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -401,7 +401,13 @@ #define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 #endif -/** \} name SECTION: Module settings */ +/* + * Default to standard CID mode + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +#endif /* * Length of the verify data for secure renegotiation @@ -571,15 +577,10 @@ #define MBEDTLS_TLS_EXT_SIG_ALG_CERT 50 /* RFC 8446 TLS 1.3 */ #define MBEDTLS_TLS_EXT_KEY_SHARE 51 /* RFC 8446 TLS 1.3 */ -/* The value of the CID extension is still TBD as of - * draft-ietf-tls-dtls-connection-id-05 - * (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05). - * - * A future minor revision of Mbed TLS may change the default value of - * this option to match evolving standards and usage. - */ -#if !defined(MBEDTLS_TLS_EXT_CID) -#define MBEDTLS_TLS_EXT_CID 254 /* TBD */ +#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 +#define MBEDTLS_TLS_EXT_CID 54 /* RFC 9146 DTLS 1.2 CID */ +#else +#define MBEDTLS_TLS_EXT_CID 254 /* Pre-RFC 9146 DTLS 1.2 CID */ #endif #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */ @@ -2003,8 +2004,9 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * \brief Configure the use of the Connection ID (CID) * extension in the next handshake. * - * Reference: draft-ietf-tls-dtls-connection-id-05 + * Reference: RFC 9146 (or draft-ietf-tls-dtls-connection-id-05 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 + * for legacy version) * * The DTLS CID extension allows the reliable association of * DTLS records to DTLS connections across changes in the diff --git a/library/ssl_msg.c b/library/ssl_msg.c index dbef29b3f9..ecf7a2b4aa 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -388,30 +388,80 @@ static int ssl_parse_inner_plaintext( unsigned char const *content, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */ -/* `add_data` must have size 13 Bytes if the CID extension is disabled, - * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */ +/* The size of the `add_data` structure depends on various + * factors, namely + * + * 1) CID functionality disabled + * + * additional_data = + * 8: seq_num + + * 1: type + + * 2: version + + * 2: length of inner plaintext + + * + * size = 13 bytes + * + * 2) CID functionality based on RFC 9146 enabled + * + * size = 8 + 1 + 1 + 1 + 2 + 2 + 6 + 2 + CID-length + * = 23 + CID-length + * + * 3) CID functionality based on legacy CID version + according to draft-ietf-tls-dtls-connection-id-05 + * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 + * + * size = 13 + 1 + CID-length + * + * More information about the CID usage: + * + * Per Section 5.3 of draft-ietf-tls-dtls-connection-id-05 the + * size of the additional data structure is calculated as: + * + * additional_data = + * 8: seq_num + + * 1: tls12_cid + + * 2: DTLSCipherText.version + + * n: cid + + * 1: cid_length + + * 2: length_of_DTLSInnerPlaintext + * + * Per RFC 9146 the size of the add_data structure is calculated as: + * + * additional_data = + * 8: seq_num_placeholder + + * 1: tls12_cid + + * 1: cid_length + + * 1: tls12_cid + + * 2: DTLSCiphertext.version + + * 2: epoch + + * 6: sequence_number + + * n: cid + + * 2: length_of_DTLSInnerPlaintext + * + */ static void ssl_extract_add_data_from_record( unsigned char* add_data, size_t *add_data_len, mbedtls_record *rec, mbedtls_ssl_protocol_version - tls_version, + tls_version, size_t taglen ) { - /* Quoting RFC 5246 (TLS 1.2): + /* Several types of ciphers have been defined for use with TLS and DTLS, + * and the MAC calculations for those ciphers differ slightly. Further + * variants were added when the CID functionality was added with RFC 9146. + * This implementations also considers the use of a legacy version of the + * CID specification published in draft-ietf-tls-dtls-connection-id-05, + * which is used in deployments. + * + * We will distinguish between the non-CID and the CID cases below. + * + * --- Non-CID cases --- + * + * Quoting RFC 5246 (TLS 1.2): * * additional_data = seq_num + TLSCompressed.type + * TLSCompressed.version + TLSCompressed.length; * - * For the CID extension, this is extended as follows - * (quoting draft-ietf-tls-dtls-connection-id-05, - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05): - * - * additional_data = seq_num + DTLSPlaintext.type + - * DTLSPlaintext.version + - * cid + - * cid_length + - * length_of_DTLSInnerPlaintext; - * * For TLS 1.3, the record sequence number is dropped from the AAD * and encoded within the nonce of the AEAD operation instead. * Moreover, the additional data involves the length of the TLS @@ -427,11 +477,72 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, * * TLSCiphertext.length = TLSInnerPlaintext.length + taglen. * - */ + * --- CID cases --- + * + * RFC 9146 uses a common pattern when constructing the data + * passed into a MAC / AEAD cipher. + * + * Data concatenation for MACs used with block ciphers with + * Encrypt-then-MAC Processing (with CID): + * + * data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * DTLSCiphertext.length + + * IV + + * ENC(content + padding + padding_length) + * + * Data concatenation for MACs used with block ciphers (with CID): + * + * data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * length_of_DTLSInnerPlaintext + + * DTLSInnerPlaintext.content + + * DTLSInnerPlaintext.real_type + + * DTLSInnerPlaintext.zeros + * + * AEAD ciphers use the following additional data calculation (with CIDs): + * + * additional_data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * length_of_DTLSInnerPlaintext + * + * Section 5.3 of draft-ietf-tls-dtls-connection-id-05 (for legacy CID use) + * defines the additional data calculation as follows: + * + * additional_data = seq_num + + * tls12_cid + + * DTLSCipherText.version + + * cid + + * cid_length + + * length_of_DTLSInnerPlaintext + */ unsigned char *cur = add_data; size_t ad_len_field = rec->data_len; +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + const unsigned char seq_num_placeholder[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; +#endif + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 ) { @@ -445,25 +556,78 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, { ((void) tls_version); ((void) taglen); - memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); - cur += sizeof( rec->ctr ); + +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + +#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + if( rec->cid_len != 0 ) + { + // seq_num_placeholder + memcpy( cur, seq_num_placeholder, sizeof(seq_num_placeholder) ); + cur += sizeof( seq_num_placeholder ); + + // tls12_cid type + *cur = rec->type; + cur++; + + // cid_length + *cur = rec->cid_len; + cur++; + } + else + { + // epoch + sequence number + memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); + cur += sizeof( rec->ctr ); + } +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 */ +#else + // epoch + sequence number + memcpy(cur, rec->ctr, sizeof(rec->ctr)); + cur += sizeof(rec->ctr); +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ } + // type *cur = rec->type; cur++; + // version memcpy( cur, rec->ver, sizeof( rec->ver ) ); cur += sizeof( rec->ver ); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - if( rec->cid_len != 0 ) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 1 + + if (rec->cid_len != 0) { - memcpy( cur, rec->cid, rec->cid_len ); + // CID + memcpy(cur, rec->cid, rec->cid_len); cur += rec->cid_len; + // cid_length *cur = rec->cid_len; cur++; + // length of inner plaintext + MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0); + cur += 2; + } + else +#elif defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + + if( rec->cid_len != 0 ) + { + // epoch + sequence number + memcpy(cur, rec->ctr, sizeof(rec->ctr)); + cur += sizeof(rec->ctr); + + // CID + memcpy( cur, rec->cid, rec->cid_len ); + cur += rec->cid_len; + + // length of inner plaintext MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 ); cur += 2; } @@ -538,7 +702,14 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, mbedtls_ssl_mode_t ssl_mode; int auth_done = 0; unsigned char * data; - unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; + /* For an explanation of the additional data length see + * the descrpition of ssl_extract_add_data_from_record(). + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + unsigned char add_data[23 + MBEDTLS_SSL_CID_OUT_LEN_MAX]; +#else + unsigned char add_data[13]; +#endif size_t add_data_len; size_t post_avail; @@ -1021,13 +1192,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, size_t sign_mac_length = 0; #endif /* MBEDTLS_USE_PSA_CRYPTO */ - /* - * MAC(MAC_write_key, seq_num + - * TLSCipherText.type + - * TLSCipherText.version + - * length_of( (IV +) ENC(...) ) + - * IV + - * ENC(content + padding + padding_length)); + /* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length)) */ if( post_avail < transform->maclen) @@ -1133,7 +1298,14 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, size_t padlen = 0, correct = 1; #endif unsigned char* data; - unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ]; + /* For an explanation of the additional data length see + * the descrpition of ssl_extract_add_data_from_record(). + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + unsigned char add_data[23 + MBEDTLS_SSL_CID_IN_LEN_MAX]; +#else + unsigned char add_data[13]; +#endif size_t add_data_len; #if !defined(MBEDTLS_DEBUG_C) @@ -3487,7 +3659,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, { /* Shift pointers to account for record header including CID * struct { - * ContentType special_type = tls12_cid; + * ContentType outer_type = tls12_cid; * ProtocolVersion version; * uint16 epoch; * uint48 sequence_number; diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index f8140945da..79f34d3457 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -235,9 +235,6 @@ static int ssl_write_cid_ext( mbedtls_ssl_context *ssl, size_t ext_len; /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index eab27768bc..8d1923879f 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -358,9 +358,6 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, } /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; @@ -1748,9 +1745,6 @@ static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) ); /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7f259f57dc..e89108eb9f 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2449,6 +2449,25 @@ component_test_variable_ssl_in_out_buffer_len_CID () { tests/compat.sh } +component_test_variable_ssl_in_out_buffer_len_CID_legacy () { + msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" + scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID + scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 + + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID" + make test + + msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + tests/ssl-opt.sh + + msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + tests/compat.sh +} + component_test_ssl_alloc_buffer_and_mfl () { msg "build: default config with memory buffer allocator and MFL extension" scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c4628b017e..36cb479d51 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -440,6 +440,14 @@ requires_max_content_len() { requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1 } +CID_MODE=$( get_config_value_or_default "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT" ) + +requires_cid_compat() { + if [ "$CID_MODE" = "0" ]; then + SKIP_NEXT="YES" + fi +} + # skip next test if GnuTLS isn't available requires_gnutls() { if [ -z "${GNUTLS_AVAILABLE:-}" ]; then @@ -2386,6 +2394,17 @@ run_test "Context serialization, client serializes, with CID" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION +requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID +requires_cid_compat +run_test "Context serialization, client serializes, with CID (legacy)" \ + "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ + "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ + 0 \ + -c "Deserializing connection..." \ + -S "Deserializing connection..." + + requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, server serializes, CCM" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ @@ -2422,6 +2441,16 @@ run_test "Context serialization, server serializes, with CID" \ -C "Deserializing connection..." \ -s "Deserializing connection..." +requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION +requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID +requires_cid_compat +run_test "Context serialization, server serializes, with CID (legacy)" \ + "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ + "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \ + 0 \ + -C "Deserializing connection..." \ + -s "Deserializing connection..." + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, both serialize, CCM" \ @@ -2460,6 +2489,17 @@ run_test "Context serialization, both serialize, with CID" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION +requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID +requires_cid_compat +run_test "Context serialization, both serialize, with CID (legacy)" \ + "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ + "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ + 0 \ + -c "Deserializing connection..." \ + -s "Deserializing connection..." + + requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, re-init, client serializes, CCM" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ @@ -2497,6 +2537,16 @@ run_test "Context serialization, re-init, client serializes, with CID" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION +requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID +requires_cid_compat +run_test "Context serialization, re-init, client serializes, with CID (legacy)" \ + "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ + "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \ + 0 \ + -c "Deserializing connection..." \ + -S "Deserializing connection..." + requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, re-init, server serializes, CCM" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ From 1df7070acc530560351a6fe6fdc7b9bef240fb9a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 26 Oct 2022 17:08:54 +0100 Subject: [PATCH 02/12] Fix all.sh dependency on DTLS connection ID Ensure MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is unset where MBEDTLS_SSL_DTLS_CONNECTION_ID is unset. Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index e89108eb9f..55bdc14aa0 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1238,6 +1238,7 @@ component_test_full_no_cipher () { scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID + scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py unset MBEDTLS_SSL_SRV_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO From 4e0fca3737161e32ceefbb0204c677d914cefeee Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Oct 2022 09:47:21 +0100 Subject: [PATCH 03/12] Fix test dependency on DTLS connection ID Ensure MBEDTLS_SSL_DTLS_CONNECTION_ID and MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT are unset when MBEDTLS_SSL_PROTO_DTLS is not set in tls13-only tests. Signed-off-by: Dave Rodgman --- tests/configs/tls13-only.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 0a22c544b7..751cdf8623 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -32,3 +32,5 @@ #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#undef MBEDTLS_SSL_DTLS_CONNECTION_ID +#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT From 88e5566a9bc489039e0345e82d62afb3e0e531b7 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 10:14:54 +0100 Subject: [PATCH 04/12] Changed order of conditions in check_config.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 43e538cf97..519c2b1ffc 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -903,8 +903,8 @@ #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)" #endif -#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ - defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && \ + !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequsites" #endif From e2c46e0413f9b6c145e54bc60a5848a03492dc70 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 10:44:11 +0100 Subject: [PATCH 05/12] Reference to RFC 9146 added MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added deprecated keyword to MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/mbedtls_config.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 7706250104..8f45236940 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1320,9 +1320,10 @@ /** * \def MBEDTLS_SSL_DTLS_CONNECTION_ID * - * Enable support for the DTLS Connection ID extension, + * Enable support for the DTLS Connection ID (CID) extension, * which allows to identify DTLS connections across changes - * in the underlying transport. + * in the underlying transport. The CID functionality is described + * in RFC 9146. * * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and @@ -1352,6 +1353,13 @@ * Set the value to 0 for the standard version, and * 1 for the legacy draft version. * + * \deprecated Support for the legacy version of the DTLS + * Connection ID feature is deprecated. Please + * switch to the standardized version defined + * in RFC 9146 enabled by utilizing + * MBEDTLS_SSL_DTLS_CONNECTION_ID without use + * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT. + * * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID */ #define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 From b2e661562557568aef263e880b80c6a441f0c385 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 10:53:44 +0100 Subject: [PATCH 06/12] Added deprecated warning in check_config.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Warns about the removal of the legacy DTLS Connection ID feature in a future version of Mbed TLS. Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 519c2b1ffc..6bfb9faa55 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -908,6 +908,13 @@ #error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequsites" #endif +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 +#if defined(MBEDTLS_DEPRECATED_REMOVED) +#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS" +#elif defined(MBEDTLS_DEPRECATED_WARNING) +#warning "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS" +#endif +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) From 6b6b63f039ebb19d5a7eafd05aa84b98c68a1075 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 10:57:06 +0100 Subject: [PATCH 07/12] Added closing SECTION of doxygen markup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2a8a06dfb9..3a4d660cf9 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -402,6 +402,8 @@ #define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 #endif +/** \} name SECTION: Module settings */ + /* * Default to standard CID mode */ From df84bb30abf4a9d4e71ea5cf20fd64962ed379c4 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 11:14:03 +0100 Subject: [PATCH 08/12] Removed MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH from CID tests in all.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added also extra text. Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/all.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ce92c1b417..51a88b7fbd 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2711,39 +2711,37 @@ component_test_variable_ssl_in_out_buffer_len () { } component_test_variable_ssl_in_out_buffer_len_CID () { - msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled (ASan build)" scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID" + msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (standard)" make test - msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled" tests/ssl-opt.sh - msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled" tests/compat.sh } component_test_variable_ssl_in_out_buffer_len_CID_legacy () { - msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID" + msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" make test - msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" tests/ssl-opt.sh - msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + msg "test: compat.sh, MMBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" tests/compat.sh } From db01d050112a4f41be5719db4e0fb1bdd71d9631 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 11:18:19 +0100 Subject: [PATCH 09/12] Removal of redundant DTLS CID test in ssl-opt.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per suggestion from Manuel, I removed this redundant test. Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 31c007e622..cc0ac55cbf 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2580,18 +2580,6 @@ run_test "Context serialization, client serializes, with CID" \ -c "Deserializing connection..." \ -S "Deserializing connection..." -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_cid_compat -run_test "Context serialization, client serializes, with CID (legacy)" \ - "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ - "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ - 0 \ - -c "Deserializing connection..." \ - -S "Deserializing connection..." - - requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, server serializes, CCM" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ From 61336848a922d29e45b06e79e3058be2a1a5a1b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 25 Nov 2022 11:12:38 +0100 Subject: [PATCH 10/12] Fix bug when legacy CID is enabled but not used MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When legacy CID is enabled at compile time, but not used at runtime, we would incorrectly skip the sequence number at the beginning of the AAD. There was already two "else" branches for writing the sequence number but none of them was taken in that particular case. Simplify the structure of the code: with TLS 1.2 (we're already in that branch), we always write the sequence number, unless we're using standard CID. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 58e6af2a56..c523b82492 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -551,9 +551,8 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, ((void) tls_version); ((void) taglen); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - -#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 if( rec->cid_len != 0 ) { // seq_num_placeholder @@ -569,17 +568,12 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, cur++; } else +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ { // epoch + sequence number memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); cur += sizeof( rec->ctr ); } -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 */ -#else - // epoch + sequence number - memcpy(cur, rec->ctr, sizeof(rec->ctr)); - cur += sizeof(rec->ctr); -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ } // type From 5a454f7781a36dbf9c34eeaf1db892184a7496ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 25 Nov 2022 11:25:08 +0100 Subject: [PATCH 11/12] Remove redundant tests in ssl-opt.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We don't need to have two copies of the test with one of them depending on legacy/compat CID: we can have just one copy, but make sure we run ssl-opt.sh both in a build with standard CID and in a build with legacy/compat - that's the job of all.sh (see next commit). Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 41 ----------------------------------------- 1 file changed, 41 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index cc0ac55cbf..de9498374a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -525,14 +525,6 @@ requires_max_content_len() { requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1 } -CID_MODE=$( get_config_value_or_default "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT" ) - -requires_cid_compat() { - if [ "$CID_MODE" = "0" ]; then - SKIP_NEXT="YES" - fi -} - # skip next test if GnuTLS isn't available requires_gnutls() { if [ -z "${GNUTLS_AVAILABLE:-}" ]; then @@ -2616,16 +2608,6 @@ run_test "Context serialization, server serializes, with CID" \ -C "Deserializing connection..." \ -s "Deserializing connection..." -requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_cid_compat -run_test "Context serialization, server serializes, with CID (legacy)" \ - "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ - "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \ - 0 \ - -C "Deserializing connection..." \ - -s "Deserializing connection..." - requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, both serialize, CCM" \ @@ -2663,18 +2645,6 @@ run_test "Context serialization, both serialize, with CID" \ -c "Deserializing connection..." \ -s "Deserializing connection..." -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_cid_compat -run_test "Context serialization, both serialize, with CID (legacy)" \ - "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ - "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ - 0 \ - -c "Deserializing connection..." \ - -s "Deserializing connection..." - - requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, re-init, client serializes, CCM" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ @@ -2711,17 +2681,6 @@ run_test "Context serialization, re-init, client serializes, with CID" \ -c "Deserializing connection..." \ -S "Deserializing connection..." -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_cid_compat -run_test "Context serialization, re-init, client serializes, with CID (legacy)" \ - "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ - "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \ - 0 \ - -c "Deserializing connection..." \ - -S "Deserializing connection..." - requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, re-init, server serializes, CCM" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ From 6a543ba1d3f55a161e2f7c6195535a2386e9431e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 25 Nov 2022 11:30:10 +0100 Subject: [PATCH 12/12] Remove redundant component in all.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CID is now enabled in the default config (as well as full), so it's already tested in numerous all.sh components, not need to add one for that. We need a component for the legacy/compat option though as it's never enabled in existing components. So, keep that one, but adjust the name and fix a typo in a message. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/all.sh | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 51a88b7fbd..397e765053 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2710,26 +2710,8 @@ component_test_variable_ssl_in_out_buffer_len () { tests/compat.sh } -component_test_variable_ssl_in_out_buffer_len_CID () { - msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID - - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (standard)" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled" - tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled" - tests/compat.sh -} - -component_test_variable_ssl_in_out_buffer_len_CID_legacy () { +component_test_dtls_cid_legacy () { msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . @@ -2741,7 +2723,7 @@ component_test_variable_ssl_in_out_buffer_len_CID_legacy () { msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" tests/ssl-opt.sh - msg "test: compat.sh, MMBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" + msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" tests/compat.sh }