Skip to content

Commit

Permalink
Implement DTLS 1.2 Connection ID (CID)
Browse files Browse the repository at this point in the history
  • Loading branch information
julek-wolfssl committed Sep 17, 2024
1 parent 6f937f5 commit f67e65f
Show file tree
Hide file tree
Showing 14 changed files with 956 additions and 573 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/os-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ jobs:
'--enable-all --enable-dtls13 --enable-dtls-frag-ch',
'--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
--enable-dtls-mtu',
'--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
--enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA',
]
name: make check
runs-on: ${{ matrix.os }}
Expand Down
5 changes: 1 addition & 4 deletions examples/client/client.c
Original file line number Diff line number Diff line change
Expand Up @@ -4184,10 +4184,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)

printf("CID extension was negotiated\n");
ret = wolfSSL_dtls_cid_get_tx_size(ssl, &receivedCIDSz);
if (ret != WOLFSSL_SUCCESS)
err_sys("Can't get negotiated DTLS CID size\n");

if (receivedCIDSz > 0) {
if (ret == WOLFSSL_SUCCESS && receivedCIDSz > 0) {
ret = wolfSSL_dtls_cid_get_tx(ssl, receivedCID,
DTLS_CID_BUFFER_SIZE - 1);
if (ret != WOLFSSL_SUCCESS)
Expand Down
5 changes: 1 addition & 4 deletions examples/server/server.c
Original file line number Diff line number Diff line change
Expand Up @@ -3595,10 +3595,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
unsigned int receivedCIDSz;
printf("CID extension was negotiated\n");
ret = wolfSSL_dtls_cid_get_tx_size(ssl, &receivedCIDSz);
if (ret != WOLFSSL_SUCCESS)
err_sys("Can't get negotiated DTLS CID size\n");

if (receivedCIDSz > 0) {
if (ret == WOLFSSL_SUCCESS && receivedCIDSz > 0) {
ret = wolfSSL_dtls_cid_get_tx(ssl, receivedCID,
DTLS_CID_BUFFER_SIZE - 1);
if (ret != WOLFSSL_SUCCESS)
Expand Down
85 changes: 42 additions & 43 deletions src/dtls.c
Original file line number Diff line number Diff line change
Expand Up @@ -1038,22 +1038,6 @@ int DoClientHelloStateless(WOLFSSL* ssl, const byte* input, word32 helloSz,

#if defined(WOLFSSL_DTLS_CID)

typedef struct ConnectionID {
byte length;
/* Ignore "nonstandard extension used : zero-sized array in struct/union"
* MSVC warning */
#ifdef _MSC_VER
#pragma warning(disable: 4200)
#endif
byte id[];
} ConnectionID;

typedef struct CIDInfo {
ConnectionID* tx;
ConnectionID* rx;
byte negotiated : 1;
} CIDInfo;

static ConnectionID* DtlsCidNew(const byte* cid, byte size, void* heap)
{
ConnectionID* ret;
Expand All @@ -1079,20 +1063,22 @@ static int DtlsCidGetSize(WOLFSSL* ssl, unsigned int* size, int rx)
ConnectionID* id;
CIDInfo* info;

if (ssl == NULL || size == NULL)
if (ssl == NULL)
return BAD_FUNC_ARG;

info = DtlsCidGetInfo(ssl);
if (info == NULL)
return WOLFSSL_FAILURE;

id = rx ? info->rx : info->tx;
if (id == NULL) {
*size = 0;
return WOLFSSL_SUCCESS;
if (id == NULL || id->length == 0) {
if (size != NULL)
*size = 0;
return WOLFSSL_FAILURE;
}

*size = id->length;
if (size != NULL)
*size = id->length;
return WOLFSSL_SUCCESS;
}

Expand Down Expand Up @@ -1231,9 +1217,8 @@ int TLSX_ConnectionID_Use(WOLFSSL* ssl)
int TLSX_ConnectionID_Parse(WOLFSSL* ssl, const byte* input, word16 length,
byte isRequest)
{
ConnectionID* id;
CIDInfo* info;
byte cidSize;
byte cidSz;
TLSX* ext;

ext = TLSX_Find(ssl->extensions, TLSX_CONNECTION_ID);
Expand All @@ -1254,31 +1239,41 @@ int TLSX_ConnectionID_Parse(WOLFSSL* ssl, const byte* input, word16 length,
return BAD_STATE_E;

/* it may happen if we process two ClientHello because the server sent an
* HRR request */
* HRR/HVR request */
if (info->tx != NULL) {
if (ssl->options.side != WOLFSSL_SERVER_END &&
ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE)
ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE &&
!IsSCR(ssl))
return BAD_STATE_E;

XFREE(info->tx, ssl->heap, DYNAMIC_TYPE_TLSX);
info->tx = NULL;
if (!info->negotiated) {
XFREE(info->tx, ssl->heap, DYNAMIC_TYPE_TLSX);
info->tx = NULL;
}
}

if (length < OPAQUE8_LEN)
return BUFFER_ERROR;

cidSize = *input;
if (cidSize + OPAQUE8_LEN > length)
cidSz = *input;
if (cidSz + OPAQUE8_LEN > length)
return BUFFER_ERROR;

if (cidSize > 0) {
id = (ConnectionID*)XMALLOC(sizeof(*id) + cidSize, ssl->heap,
DYNAMIC_TYPE_TLSX);
if (id == NULL)
return MEMORY_ERROR;
XMEMCPY(id->id, input + OPAQUE8_LEN, cidSize);
id->length = cidSize;
info->tx = id;
if (cidSz > 0) {
if (!info->negotiated) {
ConnectionID* id = (ConnectionID*)XMALLOC(sizeof(*id) + cidSz,
ssl->heap, DYNAMIC_TYPE_TLSX);
if (id == NULL)
return MEMORY_ERROR;
XMEMCPY(id->id, input + OPAQUE8_LEN, cidSz);
id->length = cidSz;
info->tx = id;
}
else {
/* For now we don't support changing the CID on a rehandshake */
if (XMEMCMP(info->tx->id, input + OPAQUE8_LEN, cidSz) != 0)
return DTLS_CID_ERROR;
}
}

info->negotiated = 1;
Expand Down Expand Up @@ -1317,10 +1312,6 @@ int wolfSSL_dtls_cid_use(WOLFSSL* ssl)
{
int ret;

/* CID is supported on DTLSv1.3 only */
if (!IsAtLeastTLSv1_3(ssl->version))
return WOLFSSL_FAILURE;

ssl->options.useDtlsCID = 1;
ret = TLSX_ConnectionID_Use(ssl);
if (ret != 0)
Expand All @@ -1345,8 +1336,11 @@ int wolfSSL_dtls_cid_set(WOLFSSL* ssl, unsigned char* cid, unsigned int size)
if (cidInfo == NULL)
return WOLFSSL_FAILURE;

XFREE(cidInfo->rx, ssl->heap, DYNAMIC_TYPE_TLSX);
cidInfo->rx = NULL;
if (cidInfo->rx != NULL) {
WOLFSSL_MSG("wolfSSL doesn't support changing the CID during a "
"connection");
return WOLFSSL_FAILURE;
}

/* empty CID */
if (size == 0)
Expand Down Expand Up @@ -1384,6 +1378,11 @@ int wolfSSL_dtls_cid_get_tx(WOLFSSL* ssl, unsigned char* buf,
return DtlsCidGet(ssl, buf, bufferSz, 0);
}

int wolfSSL_dtls_cid_max_size(void)
{
return DTLS_CID_MAX_SIZE;
}

#endif /* WOLFSSL_DTLS_CID */
#endif /* WOLFSSL_DTLS */

Expand Down
12 changes: 6 additions & 6 deletions src/dtls13.c
Original file line number Diff line number Diff line change
Expand Up @@ -1074,23 +1074,23 @@ static byte Dtls13GetCidRxSize(WOLFSSL* ssl)

static int Dtls13AddCID(WOLFSSL* ssl, byte* flags, byte* out, word16* idx)
{
byte cidSize;
byte cidSz;
int ret;

if (!wolfSSL_dtls_cid_is_enabled(ssl))
return 0;

cidSize = Dtls13GetCidTxSize(ssl);
cidSz = Dtls13GetCidTxSize(ssl);

/* no cid */
if (cidSize == 0)
if (cidSz == 0)
return 0;
*flags |= DTLS13_CID_BIT;
/* we know that we have at least cidSize of space */
ret = wolfSSL_dtls_cid_get_tx(ssl, out + *idx, cidSize);
/* we know that we have at least cidSz of space */
ret = wolfSSL_dtls_cid_get_tx(ssl, out + *idx, cidSz);
if (ret != WOLFSSL_SUCCESS)
return ret;
*idx += cidSize;
*idx += cidSz;
return 0;
}

Expand Down
Loading

0 comments on commit f67e65f

Please sign in to comment.