diff options
| author | FdaSilvaYY <fdasilvayy@gmail.com> | 2017-11-05 17:46:48 +0100 |
|---|---|---|
| committer | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2017-11-05 17:46:48 +0100 |
| commit | cf72c7579201086cee303eadcb60bd28eff78dd9 (patch) | |
| tree | 35c096098b2527a814c95cc674bb54747e3054a0 /ssl | |
| parent | b82acc3c1a7f304c9df31841753a0fa76b5b3cda (diff) | |
| download | openssl-cf72c7579201086cee303eadcb60bd28eff78dd9.zip openssl-cf72c7579201086cee303eadcb60bd28eff78dd9.tar.gz openssl-cf72c7579201086cee303eadcb60bd28eff78dd9.tar.bz2 | |
Implement Maximum Fragment Length TLS extension.
Based on patch from Tomasz Moń:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/1008)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/record/rec_layer_d1.c | 4 | ||||
| -rw-r--r-- | ssl/record/rec_layer_s3.c | 28 | ||||
| -rw-r--r-- | ssl/record/ssl3_buffer.c | 9 | ||||
| -rw-r--r-- | ssl/record/ssl3_record.c | 19 | ||||
| -rw-r--r-- | ssl/ssl_asn1.c | 8 | ||||
| -rw-r--r-- | ssl/ssl_err.c | 10 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 27 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 30 | ||||
| -rw-r--r-- | ssl/statem/extensions.c | 31 | ||||
| -rw-r--r-- | ssl/statem/extensions_clnt.c | 62 | ||||
| -rw-r--r-- | ssl/statem/extensions_cust.c | 3 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 57 | ||||
| -rw-r--r-- | ssl/statem/statem_locl.h | 11 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 31 |
14 files changed, 309 insertions, 21 deletions
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 59285ed..3eabf71 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -774,7 +774,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, if (len == 0 && !create_empty_fragment) return 0; - if (len > s->max_send_fragment) { + if (len > ssl_get_max_send_fragment(s)) { SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); return 0; } diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 1225f9b..980e5a4 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -334,9 +334,9 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, { const unsigned char *buf = buf_; size_t tot; - size_t n, split_send_fragment, maxpipes; + size_t n, max_send_fragment, split_send_fragment, maxpipes; #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK - size_t max_send_fragment, nw; + size_t nw; #endif SSL3_BUFFER *wb = &s->rlayer.wbuf[0]; int i; @@ -403,7 +403,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, * compromise is considered worthy. */ if (type == SSL3_RT_APPLICATION_DATA && - len >= 4 * (max_send_fragment = s->max_send_fragment) && + len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) && s->compress == NULL && s->msg_callback == NULL && !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & @@ -523,7 +523,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, tot += tmpwrit; } } else -#endif +#endif /* !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK */ if (tot == len) { /* done? */ if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s)) ssl3_release_write_buffer(s); @@ -534,7 +534,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, n = (len - tot); - split_send_fragment = s->split_send_fragment; + max_send_fragment = ssl_get_max_send_fragment(s); + split_send_fragment = ssl_get_split_send_fragment(s); /* * If max_pipelines is 0 then this means "undefined" and we default to * 1 pipeline. Similarly if the cipher does not support pipelined @@ -556,10 +557,10 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, & EVP_CIPH_FLAG_PIPELINE) || !SSL_USE_EXPLICIT_IV(s)) maxpipes = 1; - if (s->max_send_fragment == 0 || split_send_fragment > s->max_send_fragment - || split_send_fragment == 0) { + if (max_send_fragment == 0 || split_send_fragment == 0 + || split_send_fragment > max_send_fragment) { /* - * We should have prevented this when we set the split and max send + * We should have prevented this when we set/get the split and max send * fragments so we shouldn't get here */ SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); @@ -577,13 +578,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, if (numpipes > maxpipes) numpipes = maxpipes; - if (n / numpipes >= s->max_send_fragment) { + if (n / numpipes >= max_send_fragment) { /* * We have enough data to completely fill all available * pipelines */ for (j = 0; j < numpipes; j++) { - pipelens[j] = s->max_send_fragment; + pipelens[j] = max_send_fragment; } } else { /* We can partially fill all available pipelines */ @@ -854,7 +855,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, } if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL) { - size_t rlen; + size_t rlen, max_send_fragment; if (!WPACKET_put_bytes_u8(thispkt, type)) { SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); @@ -863,10 +864,11 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, SSL3_RECORD_add_length(thiswr, 1); /* Add TLS1.3 padding */ + max_send_fragment = ssl_get_max_send_fragment(s); rlen = SSL3_RECORD_get_length(thiswr); - if (rlen < SSL3_RT_MAX_PLAIN_LENGTH) { + if (rlen < max_send_fragment) { size_t padding = 0; - size_t max_padding = SSL3_RT_MAX_PLAIN_LENGTH - rlen; + size_t max_padding = max_send_fragment - rlen; if (s->record_padding_cb != NULL) { padding = s->record_padding_cb(s, type, rlen, s->record_padding_arg); } else if (s->block_padding > 0) { diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index 8a6a922..da23b36 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -93,7 +93,7 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); #endif - len = s->max_send_fragment + len = ssl_get_max_send_fragment(s) + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; #ifndef OPENSSL_NO_COMP if (ssl_allow_compression(s)) @@ -107,6 +107,11 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) for (currpipe = 0; currpipe < numwpipes; currpipe++) { SSL3_BUFFER *thiswb = &wb[currpipe]; + if (thiswb->buf != NULL && thiswb->len != len) { + OPENSSL_free(thiswb->buf); + thiswb->buf = NULL; /* force reallocation */ + } + if (thiswb->buf == NULL) { p = OPENSSL_malloc(len); if (p == NULL) { diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 8d71cd3..28a706f 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -685,6 +685,14 @@ int ssl3_get_record(SSL *s) goto f_err; } + /* If received packet overflows current Max Fragment Length setting */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { + al = SSL_AD_RECORD_OVERFLOW; + SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); + goto f_err; + } + thisrr->off = 0; /*- * So at this point the following is true @@ -1823,6 +1831,15 @@ int dtls1_get_record(SSL *s) goto again; } + /* If received packet overflows own-client Max Fragment Length setting */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { + /* record too long, silently discard it */ + rr->length = 0; + RECORD_LAYER_reset_packet_length(&s->rlayer); + goto again; + } + /* now s->rlayer.rstate == SSL_ST_READ_BODY */ } diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index f6019bc..7258618 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -42,6 +42,7 @@ typedef struct { uint32_t max_early_data; ASN1_OCTET_STRING *alpn_selected; ASN1_OCTET_STRING *tick_nonce; + uint32_t tlsext_max_fragment_len_mode; } SSL_SESSION_ASN1; ASN1_SEQUENCE(SSL_SESSION_ASN1) = { @@ -71,7 +72,8 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = { ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_tick_age_add, ZUINT32, 14), ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, max_early_data, ZUINT32, 15), ASN1_EXP_OPT(SSL_SESSION_ASN1, alpn_selected, ASN1_OCTET_STRING, 16), - ASN1_EXP_OPT(SSL_SESSION_ASN1, tick_nonce, ASN1_OCTET_STRING, 17) + ASN1_EXP_OPT(SSL_SESSION_ASN1, tick_nonce, ASN1_OCTET_STRING, 17), + ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_max_fragment_len_mode, ZUINT32, 18) } static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1) IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1) @@ -196,6 +198,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) ssl_session_oinit(&as.tick_nonce, &tick_nonce, in->ext.tick_nonce, in->ext.tick_nonce_len); + as.tlsext_max_fragment_len_mode = in->ext.max_fragment_len_mode; + return i2d_SSL_SESSION_ASN1(&as, pp); } @@ -370,6 +374,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, ret->ext.tick_nonce_len = 0; } + ret->ext.max_fragment_len_mode = as->tlsext_max_fragment_len_mode; + M_ASN1_free_of(as, SSL_SESSION_ASN1); if ((a != NULL) && (*a == NULL)) diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 3eb89a3..17a2413 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -176,6 +176,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { "SSL_CTX_set_session_id_context"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_SSL_VERSION, 0), "SSL_CTX_set_ssl_version"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 0), + "SSL_CTX_set_tlsext_max_fragment_length"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_CERTIFICATE, 0), "SSL_CTX_use_certificate"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, 0), @@ -268,6 +270,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { "SSL_set_session_id_context"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_SESSION_TICKET_EXT, 0), "SSL_set_session_ticket_ext"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 0), + "SSL_set_tlsext_max_fragment_length"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_WFD, 0), "SSL_set_wfd"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SHUTDOWN, 0), "SSL_shutdown"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SRP_CTX_INIT, 0), "SSL_SRP_CTX_init"}, @@ -377,6 +381,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_KEY_EXCHANGE, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 0), "tls_construct_ctos_key_share"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, 0), + "tls_construct_ctos_maxfragmentlen"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_NPN, 0), "tls_construct_ctos_npn"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, 0), @@ -448,6 +454,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_KEY_EXCHANGE, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, 0), "tls_construct_stoc_key_share"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, 0), + "tls_construct_stoc_maxfragmentlen"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG, 0), "tls_construct_stoc_next_proto_neg"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_PSK, 0), @@ -882,6 +890,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "srtp protection profile list too long"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE), "srtp unknown protection profile"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH), + "ssl3 ext invalid max fragment length"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME), "ssl3 ext invalid servername"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c151e7e..b1173f0 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -688,6 +688,8 @@ SSL *SSL_new(SSL_CTX *ctx) goto err; X509_VERIFY_PARAM_inherit(s->param, ctx->param); s->quiet_shutdown = ctx->quiet_shutdown; + + s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode; s->max_send_fragment = ctx->max_send_fragment; s->split_send_fragment = ctx->split_send_fragment; s->max_pipelines = ctx->max_pipelines; @@ -5160,3 +5162,28 @@ int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size) } return RAND_bytes(rnd, (int)size); } + +__owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) +{ + /* Return any active Max Fragment Len extension */ + if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)) + return GET_MAX_FRAGMENT_LENGTH(ssl->session); + + /* return current SSL connection setting */ + return ssl->max_send_fragment; +} + +__owur unsigned int ssl_get_split_send_fragment(const SSL *ssl) +{ + /* Return a value regarding an active Max Fragment Len extension */ + if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) + && ssl->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(ssl->session)) + return GET_MAX_FRAGMENT_LENGTH(ssl->session); + + /* else limit |split_send_fragment| to current |max_send_fragment| */ + if (ssl->split_send_fragment > ssl->max_send_fragment) + return ssl->max_send_fragment; + + /* return current SSL connection setting */ + return ssl->split_send_fragment; +} diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 78511c2..0acb39a 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -357,6 +357,14 @@ # define SSL_CLIENT_USE_SIGALGS(s) \ SSL_CLIENT_USE_TLS1_2_CIPHERS(s) +# define IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value) \ + (((value) >= TLSEXT_max_fragment_length_512) && \ + ((value) <= TLSEXT_max_fragment_length_4096)) +# define USE_MAX_FRAGMENT_LENGTH_EXT(session) \ + IS_MAX_FRAGMENT_LENGTH_EXT_VALID(session->ext.max_fragment_len_mode) +# define GET_MAX_FRAGMENT_LENGTH(session) \ + (512U << (session->ext.max_fragment_len_mode - 1)) + # define SSL_READ_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ) # define SSL_WRITE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE) @@ -558,6 +566,13 @@ struct ssl_session_st { /* The ALPN protocol selected for this session */ unsigned char *alpn_selected; size_t alpn_selected_len; + /* + * Maximum Fragment Length as per RFC 4366. + * If this value does not contain RFC 4366 allowed values (1-4) then + * either the Maximum Fragment Length Negotiation failed or was not + * performed at all. + */ + uint8_t max_fragment_len_mode; } ext; # ifndef OPENSSL_NO_SRP char *srp_username; @@ -669,6 +684,7 @@ typedef struct { typedef enum tlsext_index_en { TLSEXT_IDX_renegotiate, TLSEXT_IDX_server_name, + TLSEXT_IDX_max_fragment_length, TLSEXT_IDX_srp, TLSEXT_IDX_ec_point_formats, TLSEXT_IDX_supported_groups, @@ -895,6 +911,8 @@ struct ssl_ctx_st { void *status_arg; /* ext status type used for CSR extension (OCSP Stapling) */ int status_type; + /* RFC 4366 Maximum Fragment Length Negotiation */ + uint8_t max_fragment_len_mode; # ifndef OPENSSL_NO_EC /* EC extension values inherited by SSL structure */ @@ -1244,6 +1262,16 @@ struct ssl_st { /* May be sent by a server in HRR. Must be echoed back in ClientHello */ unsigned char *tls13_cookie; size_t tls13_cookie_len; + /* + * Maximum Fragment Length as per RFC 4366. + * If this member contains one of the allowed values (1-4) + * then we should include Maximum Fragment Length Negotiation + * extension in Client Hello. + * Please note that value of this member does not have direct + * effect. The actual (binding) value is stored in SSL_SESSION, + * as this extension is optional on server side. + */ + uint8_t max_fragment_len_mode; } ext; /* @@ -2175,6 +2203,8 @@ __owur EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm); __owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int genmaster); __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh); +__owur unsigned int ssl_get_max_send_fragment(const SSL *ssl); +__owur unsigned int ssl_get_split_send_fragment(const SSL *ssl); __owur const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id); __owur const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname); diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 3153d3b..1c34141 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -55,6 +55,7 @@ static int init_srtp(SSL *s, unsigned int context); #endif static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al); static int final_early_data(SSL *s, unsigned int context, int sent, int *al); +static int final_maxfragmentlen(SSL *s, unsigned int context, int sent, int *al); /* Structure to define a built-in extension */ typedef struct extensions_definition_st { @@ -135,6 +136,14 @@ static const EXTENSION_DEFINITION ext_defs[] = { tls_construct_stoc_server_name, tls_construct_ctos_server_name, final_server_name }, + { + TLSEXT_TYPE_max_fragment_length, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen, + tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen, + final_maxfragmentlen + }, #ifndef OPENSSL_NO_SRP { TLSEXT_TYPE_srp, @@ -1475,3 +1484,25 @@ static int final_early_data(SSL *s, unsigned int context, int sent, int *al) return 1; } + +static int final_maxfragmentlen(SSL *ssl, unsigned int context, int sent, int *al) +{ + /* + * Session resumption on server-side with MFL extension active + * BUT MFL extension packet was not resent (i.e. sent == 0) + */ + if (ssl->server && ssl->hit && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) + && !sent ) { + *al = SSL_AD_MISSING_EXTENSION; + return 0; + } + + /* Current SSL buffer is lower than requested MFL */ + if (ssl->session && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) + && ssl->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(ssl->session)) + /* trigger a larger buffer reallocation */ + if (!ssl3_setup_buffers(ssl)) + return 0; + + return 1; +} diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index c1f98b4..ff2e0cf 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -57,6 +57,31 @@ EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } +/* Push a Max Fragment Len extension into ClientHello */ +EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al) +{ + if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) + return EXT_RETURN_NOT_SENT; + + /* Add Max Fragment Length extension if client enabled it. */ + /*- + * 4 bytes for this extension type and extension length + * 1 byte for the Max Fragment Length code value. + */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) + /* Sub-packet for Max Fragment Length extension (1 byte) */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) + || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + #ifndef OPENSSL_NO_SRP EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al) @@ -1115,6 +1140,43 @@ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, return 1; } +/* Parse the server's max fragment len extension packet */ +int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al) +{ + unsigned int value; + + if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + + /* |value| should contains a valid max-fragment-length code. */ + if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + + /* Must be the same value as client-configured one who was sent to server */ + /*- + * RFC 6066: if a client receives a maximum fragment length negotiation + * response that differs from the length it requested, ... + * It must abort with SSL_AD_ILLEGAL_PARAMETER alert + */ + if (value != s->ext.max_fragment_len_mode) { + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + + /* + * Maximum Fragment Length Negotiation succeeded. + * The negotiated Maximum Fragment Length is binding now. + */ + s->session->ext.max_fragment_len_mode = value; + + return 1; +} + int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al) { diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index 24b9909..055c850 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -489,6 +489,7 @@ int SSL_extension_supported(unsigned int ext_type) #endif case TLSEXT_TYPE_padding: case TLSEXT_TYPE_renegotiate: + case TLSEXT_TYPE_max_fragment_length: case TLSEXT_TYPE_server_name: case TLSEXT_TYPE_session_ticket: case TLSEXT_TYPE_signature_algorithms: diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 8bf3a76..1b56fa1 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -139,6 +139,40 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, return 1; } +int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al) +{ + unsigned int value; + + if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + + /* Received |value| should be a valid max-fragment-length code. */ + if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + + /* + * RFC 6066: The negotiated length applies for the duration of the session + * including session resumptions. + * We should receive the same code as in resumed session ! + */ + if (s->hit && s->session->ext.max_fragment_len_mode != value) { + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + + /* + * Store it in session, so it'll become binding for us + * and we'll include it in a next Server Hello. + */ + s->session->ext.max_fragment_len_mode = value; + return 1; +} + #ifndef OPENSSL_NO_SRP int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al) @@ -844,6 +878,29 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } +/* Add/include the server's max fragment len extension into ServerHello */ +EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al) +{ + if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) + return EXT_RETURN_NOT_SENT; + + /*- + * 4 bytes for this extension type and extension length + * 1 byte for the Max Fragment Length code value. + */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode) + || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + #ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h index 9b76dc0..0ec097c 100644 --- a/ssl/statem/statem_locl.h +++ b/ssl/statem/statem_locl.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -187,6 +187,8 @@ int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); +int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #ifndef OPENSSL_NO_SRP int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); @@ -237,6 +239,9 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, @@ -287,6 +292,8 @@ EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int con X509 *x, size_t chainidx, int *al); EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #ifndef OPENSSL_NO_SRP EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); @@ -353,6 +360,8 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); +int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #ifndef OPENSSL_NO_EC int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 28b25e1..48f01ff 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2406,3 +2406,34 @@ int tls_choose_sigalg(SSL *s, int *al) s->s3->tmp.sigalg = lu; return 1; } + +int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) +{ + if (mode != TLSEXT_max_fragment_length_DISABLED + && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { + SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, + SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + return 0; + } + + ctx->ext.max_fragment_len_mode = mode; + return 1; +} + +int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) +{ + if (mode != TLSEXT_max_fragment_length_DISABLED + && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { + SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, + SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + return 0; + } + + ssl->ext.max_fragment_len_mode = mode; + return 1; +} + +uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) +{ + return session->ext.max_fragment_len_mode; +} |