commit d91dc3767fc793db4d2db7fb89329eea24363ddb
author Hanno Becker <hanno.becker@arm.com> Tue Apr 30 13:52:29 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Fri May 17 10:23:47 2019 +0100
tree 5735a346b99cc165a2d18ff590a8562b27b825c9
parent 92c930f7c4478726138b210d73c462058f70a626

Skip copying CIDs to SSL transforms until CID feature is complete

This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.

While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
  decryption.

Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 60879b5..6b6c4ae 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1163,11 +1163,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 2 Bytes): de ad" \
-            -s "Peer CID (length 2 Bytes): be ef"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 2 Bytes): de ad" \
+#            -s "Peer CID (length 2 Bytes): be ef"
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
@@ -1183,11 +1184,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 4 Bytes): de ad be ef" \
-            -s "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 4 Bytes): de ad be ef" \
+#            -s "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
@@ -1203,11 +1205,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -s "Peer CID (length 4 Bytes): de ad be ef" \
-            -c "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -s "Peer CID (length 4 Bytes): de ad be ef" \
+#            -c "Peer CID (length 0 Bytes):"
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \
@@ -1241,11 +1244,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 2 Bytes): de ad" \
-            -s "Peer CID (length 2 Bytes): be ef"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 2 Bytes): de ad" \
+#            -s "Peer CID (length 2 Bytes): be ef" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \
@@ -1261,11 +1265,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 4 Bytes): de ad be ef" \
-            -s "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 4 Bytes): de ad be ef" \
+#            -s "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \
@@ -1281,11 +1286,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -s "Peer CID (length 4 Bytes): de ad be ef" \
-            -c "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -s "Peer CID (length 4 Bytes): de ad be ef" \
+#            -c "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \
@@ -1319,11 +1325,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 2 Bytes): de ad" \
-            -s "Peer CID (length 2 Bytes): be ef"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 2 Bytes): de ad" \
+#            -s "Peer CID (length 2 Bytes): be ef" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \
@@ -1339,11 +1346,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 4 Bytes): de ad be ef" \
-            -s "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 4 Bytes): de ad be ef" \
+#            -s "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \
@@ -1359,11 +1367,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -s "Peer CID (length 4 Bytes): de ad be ef" \
-            -c "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -s "Peer CID (length 4 Bytes): de ad be ef" \
+#            -c "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \
@@ -1398,11 +1407,12 @@
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 2 Bytes): de ad" \
-            -s "Peer CID (length 2 Bytes): be ef"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 2 Bytes): de ad" \
+#            -s "Peer CID (length 2 Bytes): be ef"
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 # Tests for Encrypt-then-MAC extension