Add 1/n-1 record splitting
This commit is contained in:
parent
edd371a82c
commit
d76314c44c
4 changed files with 64 additions and 0 deletions
|
@ -263,6 +263,11 @@
|
||||||
#error "POLARSSL_SSL_SESSION_TICKETS_C defined, but not all prerequisites"
|
#error "POLARSSL_SSL_SESSION_TICKETS_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) && \
|
||||||
|
!defined(POLARSSL_SSL_PROTO_SSL3) && !defined(POLARSSL_SSL_PROTO_TLS1)
|
||||||
|
#error "POLARSSL_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) && \
|
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) && \
|
||||||
!defined(POLARSSL_X509_CRT_PARSE_C)
|
!defined(POLARSSL_X509_CRT_PARSE_C)
|
||||||
#error "POLARSSL_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
|
#error "POLARSSL_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
|
||||||
|
|
|
@ -821,6 +821,18 @@
|
||||||
*/
|
*/
|
||||||
//#define POLARSSL_SSL_HW_RECORD_ACCEL
|
//#define POLARSSL_SSL_HW_RECORD_ACCEL
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \def POLARSSL_SSL_CBC_RECORD_SPLITTING
|
||||||
|
*
|
||||||
|
* Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
|
||||||
|
*
|
||||||
|
* This is a countermeasure to the BEAST attack, which also minimizes the risk
|
||||||
|
* of interoperability issues compared to sending 0-length records.
|
||||||
|
*
|
||||||
|
* Comment this macro to disable 1/n-1 record splitting.
|
||||||
|
*/
|
||||||
|
#define POLARSSL_SSL_CBC_RECORD_SPLITTING
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
|
* \def POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
|
||||||
*
|
*
|
||||||
|
|
|
@ -784,6 +784,9 @@ struct _ssl_context
|
||||||
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
|
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
|
||||||
unsigned char mfl_code; /*!< MaxFragmentLength chosen by us */
|
unsigned char mfl_code; /*!< MaxFragmentLength chosen by us */
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
||||||
|
unsigned char split_done; /*!< flag for record splitting */
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* PKI layer
|
* PKI layer
|
||||||
|
|
|
@ -3482,6 +3482,9 @@ int ssl_session_reset( ssl_context *ssl )
|
||||||
ssl->out_msgtype = 0;
|
ssl->out_msgtype = 0;
|
||||||
ssl->out_msglen = 0;
|
ssl->out_msglen = 0;
|
||||||
ssl->out_left = 0;
|
ssl->out_left = 0;
|
||||||
|
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
||||||
|
ssl->split_done = 0;
|
||||||
|
#endif
|
||||||
|
|
||||||
ssl->transform_in = NULL;
|
ssl->transform_in = NULL;
|
||||||
ssl->transform_out = NULL;
|
ssl->transform_out = NULL;
|
||||||
|
@ -4431,7 +4434,11 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
|
||||||
/*
|
/*
|
||||||
* Send application data to be encrypted by the SSL layer
|
* Send application data to be encrypted by the SSL layer
|
||||||
*/
|
*/
|
||||||
|
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
||||||
|
static int ssl_write_real( ssl_context *ssl, const unsigned char *buf, size_t len )
|
||||||
|
#else
|
||||||
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
||||||
|
#endif
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
size_t n;
|
size_t n;
|
||||||
|
@ -4492,6 +4499,43 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
||||||
return( (int) n );
|
return( (int) n );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Write application data, doing 1/n-1 splitting if necessary.
|
||||||
|
*
|
||||||
|
* With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
|
||||||
|
* then the caller wil call us again with the same arguments.
|
||||||
|
*/
|
||||||
|
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
||||||
|
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if( ssl->minor_ver > SSL_MINOR_VERSION_1 ||
|
||||||
|
len == 0 ||
|
||||||
|
cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
|
||||||
|
!= POLARSSL_MODE_CBC )
|
||||||
|
{
|
||||||
|
return( ssl_write_real( ssl, buf, len ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ssl->split_done == 0 )
|
||||||
|
{
|
||||||
|
ssl->split_done = 1;
|
||||||
|
if( ( ret = ssl_write_real( ssl, buf, 1 ) ) < 0 )
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ssl->split_done == 1 && len > 1 )
|
||||||
|
{
|
||||||
|
ssl->split_done = 0;
|
||||||
|
if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) < 0 )
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( ret + 1 );
|
||||||
|
}
|
||||||
|
#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Notify the peer that the connection is being closed
|
* Notify the peer that the connection is being closed
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in a new issue