Implement mbedtls_ssl_get_peer_cid()
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 2750b4e..45cafff 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -151,19 +151,35 @@
return( 0 );
}
-/* WARNING: This implementation is a stub and doesn't do anything!
- * It is included solely to allow review and coding against
- * the new Connection CID API. */
+/* WARNING: The CID feature isn't fully implemented yet
+ * and will not be used. */
int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
int *enabled,
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
size_t *peer_cid_len )
{
- ((void) ssl);
- ((void) peer_cid);
- ((void) peer_cid_len);
-
*enabled = MBEDTLS_SSL_CID_DISABLED;
+
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ /* What shall we report if we have exchanged if both client
+ * and server have used the CID extension, but negotiated
+ * empty CIDs? This is indistinguishable from not using the
+ * CID extension in the first place, and we're reporting
+ * MBEDTLS_SSL_CID_DISABLED in this case. */
+ if( ssl->transform_in->in_cid_len == 0 &&
+ ssl->transform_in->out_cid_len == 0 )
+ {
+ return( 0 );
+ }
+
+ *peer_cid_len = ssl->transform_in->out_cid_len;
+ memcpy( peer_cid, ssl->transform_in->out_cid,
+ ssl->transform_in->out_cid_len );
+
+ *enabled = MBEDTLS_SSL_CID_ENABLED;
+
return( 0 );
}
#endif /* MBEDTLS_SSL_CID */