-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User parameter #182
User parameter #182
Conversation
Add cipher suites with full 16 byte MAC. Signed-off-by: Achim Kraus <[email protected]>
Use cipher_suite_param_t for cipher-suite specific mac_len and key_exchange_algorithm. Introduce dtls_cipher_index_t for simplified cipher-suite parameter lookup. Cleanup old functions. Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
Signed-off-by: Achim Kraus <[email protected]>
The tests makefile only supports simple test programs. Use include instead of additional object files. Signed-off-by: Achim Kraus <[email protected]>
Supports RFC5746 minimal version without renegotiation. Signed-off-by: Achim Kraus <[email protected]>
Add detailed documentation about the message length calculations. Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV to DTLS_CH_LENGTH_MAX. Remove eclipse_curves from ServerHello length. Signed-off-by: Achim Kraus <[email protected]>
dtls.c
Outdated
/* TLS_NULL_WITH_NULL_NULL must always be the last entry as it | ||
* indicates the stop marker for the traversal of this table. */ | ||
TLS_NULL_WITH_NULL_NULL | ||
TLS_NULL_WITH_NULL_NULL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now the comment above this line is not aligned anymore.
tests/dtls-client.c
Outdated
user_parameters->force_renegotiation_info = force_renegotiation_info; | ||
if (ciphers) { | ||
int index = 0; | ||
while (index <= DTLS_MAX_CIPHER_SUITES) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this loop only does the correct thing if ciphers does not contain more than DTLS_MAX_CIPHER_SUITES elements because otherwise, the terminating TLS_NULL_WITH_NULL_NULL will be copied. Is this guaranteed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I considered, that the length of ciphers
is not larger than DTLS_MAX_CIPHER_SUITES + 1.
The condition protects the destination array dtls_cipher_t cipher_suites[DTLS_MAX_CIPHER_SUITES + 1];
from overflow.
But I guess, it must be corrected to index < DTLS_MAX_CIPHER_SUITES
to ensure, that there is space for a trailing TLS_NULL_WITH_NULL_NULL and that trailing TLS_NULL_WITH_NULL_NULL must be added in the case of reaching DTLS_MAX_CIPHER_SUITES.
I will adapt the implementation.
tests/dtls-server.c
Outdated
user_parameters->force_renegotiation_info = force_renegotiation_info; | ||
if (ciphers) { | ||
int index = 0; | ||
while (index <= DTLS_MAX_CIPHER_SUITES) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as in dtls-client.c
Thank you very much for this proposal. I think that combining the user parameters into a single callback function results in a more compact and comprehensible configuration. |
Callback for user parameters. Includes cipher suites and flags to enforce security features. Cleanup test dtls-client. Signed-off-by: Achim Kraus <[email protected]>
No description provided.