-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CID update to RFC 9146 #6264
CID update to RFC 9146 #6264
Conversation
The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content. Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Looks like there is a compile issue with TLS 1.3-only configurations |
The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content. Upstream PR: Mbed-TLS/mbedtls#6264 Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
The CI rightly points out that the current Mbed TLS implementation only supports TLS 1.3 and not DTLS 1.3. Hence, if you enable only TLS 1.3 support then this feature is not applicable at this point in time. |
@hannestschofenig does this PR superseed #5061? If so, why not close the older one? |
The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content. Upstream PR: Mbed-TLS/mbedtls#6264 Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Ensure MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is unset where MBEDTLS_SSL_DTLS_CONNECTION_ID is unset. Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
I updated my local mbedtls to this PR in order to run Eclipse/Californium - mbedtls interoperability tests. Tests are successful. Thanks @hannestschofenig ! |
Ensure MBEDTLS_SSL_DTLS_CONNECTION_ID and MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT are unset when MBEDTLS_SSL_PROTO_DTLS is not set in tls13-only tests. Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
We don't need to have two copies of the test with one of them depending on legacy/compat CID: we can have just one copy, but make sure we run ssl-opt.sh both in a build with standard CID and in a build with legacy/compat - that's the job of all.sh (see next commit). Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
CID is now enabled in the default config (as well as full), so it's already tested in numerous all.sh components, not need to add one for that. We need a component for the legacy/compat option though as it's never enabled in existing components. So, keep that one, but adjust the name and fix a typo in a message. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Hi Thomas, If I remember well, you're the expert for the DTLS 1.2 CID / CBC support. |
That's only a short test, so the time spend doesn't matter. |
I just pushed an updated version that should fix the CI failure. At least the component that was failing on the CI is not passing locally on my machine, hopefully I haven't broken anything else in the process. I've also force-pushed to edit the commit message of the last 6 commits from Hannes and make the DCO check happy. The previous HEAD before I force-pushed was 13fe72c - I've edited the messages from the last 6 commits without changing their content, and added 3 new commits on top: 1 to fix the failure, and 2 to address my own feedback about redundant tests. @d3zd3z @hannestschofenig please review! |
With commit 6a543ba it works from my side. My tests are not intensive, they mainly ensure a basic interoperability. Tested ciphersuites: "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256" |
Thanks! Basic interop is already great! |
I've tested interop of the compat version with previous versions of Mbed TLS. Steps taken:
Testing against programs from test 1 consisted of:
|
CI's good. @hannestschofenig @d3zd3z Please review the latest commits. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I wonder if MMBEDTLS is the yummier version.
Aw, we managed to forget the ChangeLog entry. See #6681 |
The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content. Upstream PR: Mbed-TLS/mbedtls#6264 Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Mbed-TLS#6264 was missing a changelog entry. Unfortunately we didn't catch it when preparing the 3.3.0 release. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content.
Signed-off-by: Hannes Tschofenig hannes.tschofenig@arm.com
Description
The DTLS 1.2 CID specification was published as RFC 9146. This PR updates the implementation to match the RFC content.
There are two compile-time options, namely
Status
READY
Requires Backporting
NO. This PR does not require backporting.
Migrations
NO.
There are no changes to the API but enhancements to the API.
Additional comments
Todos
Steps to test or reproduce
The code has been tested against Californium.