User parameter #182
User parameter #182
Conversation
Add cipher suites with full 16 byte MAC. Signed-off-by: Achim Kraus <[email protected]>
Use cipher_suite_param_t for cipher-suite specific mac_len and key_exchange_algorithm. Introduce dtls_cipher_index_t for simplified cipher-suite parameter lookup. Cleanup old functions. Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
The tests makefile only supports simple test programs. Use include instead of additional object files. Signed-off-by: Achim Kraus <[email protected]>
Supports RFC5746 minimal version without renegotiation. Signed-off-by: Achim Kraus <[email protected]>
Add detailed documentation about the message length calculations. Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV to DTLS_CH_LENGTH_MAX. Remove eclipse_curves from ServerHello length. Signed-off-by: Achim Kraus <[email protected]>
dtls.c
Outdated
| /* TLS_NULL_WITH_NULL_NULL must always be the last entry as it | ||
| * indicates the stop marker for the traversal of this table. */ | ||
| TLS_NULL_WITH_NULL_NULL | ||
| TLS_NULL_WITH_NULL_NULL |
There was a problem hiding this comment.
Now the comment above this line is not aligned anymore.
tests/dtls-client.c
Outdated
| user_parameters->force_renegotiation_info = force_renegotiation_info; | ||
| if (ciphers) { | ||
| int index = 0; | ||
| while (index <= DTLS_MAX_CIPHER_SUITES) { |
There was a problem hiding this comment.
I think that this loop only does the correct thing if ciphers does not contain more than DTLS_MAX_CIPHER_SUITES elements because otherwise, the terminating TLS_NULL_WITH_NULL_NULL will be copied. Is this guaranteed?
There was a problem hiding this comment.
I considered, that the length of ciphers is not larger than DTLS_MAX_CIPHER_SUITES + 1.
The condition protects the destination array dtls_cipher_t cipher_suites[DTLS_MAX_CIPHER_SUITES + 1]; from overflow.
But I guess, it must be corrected to index < DTLS_MAX_CIPHER_SUITES to ensure, that there is space for a trailing TLS_NULL_WITH_NULL_NULL and that trailing TLS_NULL_WITH_NULL_NULL must be added in the case of reaching DTLS_MAX_CIPHER_SUITES.
I will adapt the implementation.
tests/dtls-server.c
Outdated
| user_parameters->force_renegotiation_info = force_renegotiation_info; | ||
| if (ciphers) { | ||
| int index = 0; | ||
| while (index <= DTLS_MAX_CIPHER_SUITES) { |
|
Thank you very much for this proposal. I think that combining the user parameters into a single callback function results in a more compact and comprehensible configuration. |
Callback for user parameters. Includes cipher suites and flags to enforce security features. Cleanup test dtls-client. Signed-off-by: Achim Kraus <[email protected]>
No description provided.