Let MBEDTLS_SSL_MAX_CONTENT_LEN to be split into outward & inward sizes
For the situation where the mbedTLS device has limited RAM, but the other end of the connection doesn't support the max_fragment_length extension. To be spec-compliant, mbedTLS has to keep a 16384 byte incoming buffer. However the outgoing buffer can be made smaller without breaking spec compliance, and we save some RAM. See comments in include/mbedtls/config.h for some more details. (The lower limit of outgoing buffer size is the buffer size used during handshake/cert negotiation. As the handshake is half-duplex it might even be possible to store this data in the "incoming" buffer during the handshake, which would save even more RAM - but it would also be a lot hackier and error-prone. I didn't really explore this possibility, but thought I'd mention it here in case someone sees this later on a mission to jam mbedTLS into an even tinier RAM footprint.)
This commit is contained in:
parent
2dbecc04cc
commit
d8213d00db
7 changed files with 198 additions and 87 deletions
|
@ -1378,7 +1378,8 @@
|
|||
#define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
|
||||
#define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
|
||||
#define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
|
||||
#define SSL_BUFFER_LEN MBEDTLS_SSL_BUFFER_LEN
|
||||
#define SSL_BUFFER_LEN ( ( ( MBEDTLS_SSL_IN_BUFFER_LEN ) < ( MBEDTLS_SSL_OUT_BUFFER_LEN ) ) \
|
||||
? ( MBEDTLS_SSL_IN_BUFFER_LEN ) : ( MBEDTLS_SSL_OUT_BUFFER_LEN ) )
|
||||
#define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
|
||||
#define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
|
||||
#define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
|
||||
|
|
|
@ -2896,7 +2896,51 @@
|
|||
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
|
||||
|
||||
/* SSL options */
|
||||
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
|
||||
|
||||
/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
*
|
||||
* Maximum fragment length in bytes.
|
||||
*
|
||||
* Determines the size of both the incoming and outgoing TLS I/O buffers.
|
||||
*
|
||||
* Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
* will override this length by setting maximum incoming and/or outgoing
|
||||
* fragment length, respectively.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_IN_CONTENT_LEN
|
||||
*
|
||||
* Maximum incoming fragment length in bytes.
|
||||
*
|
||||
* Uncomment to set the size of the inward TLS buffer independently of the
|
||||
* outward buffer.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
*
|
||||
* Maximum outgoing fragment length in bytes.
|
||||
*
|
||||
* Uncomment to set the size of the outward TLS buffer independently of the
|
||||
* inward buffer.
|
||||
*
|
||||
* It is possible to save RAM by setting a smaller outward buffer, while keeping
|
||||
* the default inward 16384 byte buffer to conform to the TLS specification.
|
||||
*
|
||||
* The minimum required outward buffer size is determined by the handshake
|
||||
* protocol's usage. Handshaking will fail if the outward buffer is too small.
|
||||
* The specific size requirement depends on the configured ciphers and any
|
||||
* certificate data which is sent during the handshake.
|
||||
*
|
||||
* For absolute minimum RAM usage, it's best to enable
|
||||
* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
|
||||
* reduces both incoming and outgoing buffer sizes. However this is only
|
||||
* guaranteed if the other end of the connection also supports the TLS
|
||||
* max_fragment_len extension. Otherwise the connection may fail.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
|
||||
|
||||
//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
|
||||
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
|
||||
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
|
||||
|
|
|
@ -220,7 +220,7 @@
|
|||
#endif
|
||||
|
||||
/*
|
||||
* Maxium fragment length in bytes,
|
||||
* Maximum fragment length in bytes,
|
||||
* determines the size of each of the two internal I/O buffers.
|
||||
*
|
||||
* Note: the RFC defines the default size of SSL / TLS messages. If you
|
||||
|
@ -234,6 +234,14 @@
|
|||
#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
|
||||
#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
|
||||
#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#endif
|
||||
|
||||
/* \} name SECTION: Module settings */
|
||||
|
||||
/*
|
||||
|
@ -2418,7 +2426,8 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
|
|||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
/**
|
||||
* \brief Set the maximum fragment length to emit and/or negotiate
|
||||
* (Default: MBEDTLS_SSL_MAX_CONTENT_LEN, usually 2^14 bytes)
|
||||
* (Default: the smaller of MBEDTLS_SSL_IN_CONTENT_LEN and
|
||||
* MBEDTLS_SSL_OUT_CONTENT_LEN, usually 2^14 bytes)
|
||||
* (Server: set maximum fragment length to emit,
|
||||
* usually negotiated by the client during handshake
|
||||
* (Client: set maximum fragment length to emit *and*
|
||||
|
|
|
@ -143,32 +143,73 @@
|
|||
#define MBEDTLS_SSL_PADDING_ADD 0
|
||||
#endif
|
||||
|
||||
#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
|
||||
+ MBEDTLS_SSL_COMPRESSION_ADD \
|
||||
+ MBEDTLS_MAX_IV_LENGTH \
|
||||
+ MBEDTLS_SSL_MAC_ADD \
|
||||
+ MBEDTLS_SSL_PADDING_ADD \
|
||||
)
|
||||
#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
|
||||
MBEDTLS_MAX_IV_LENGTH + \
|
||||
MBEDTLS_SSL_MAC_ADD + \
|
||||
MBEDTLS_SSL_PADDING_ADD \
|
||||
)
|
||||
|
||||
#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
|
||||
( MBEDTLS_SSL_IN_CONTENT_LEN ) )
|
||||
|
||||
#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
|
||||
( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
|
||||
|
||||
/* Maximum length we can advertise as our max content length for
|
||||
RFC 6066 max_fragment_length extension negotiation purposes
|
||||
(the lesser of both sizes, if they are unequal.)
|
||||
*/
|
||||
#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
|
||||
(MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
|
||||
? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
|
||||
: ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
|
||||
)
|
||||
|
||||
/*
|
||||
* Check that we obey the standard's message size bounds
|
||||
*/
|
||||
|
||||
#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
|
||||
#error Bad configuration - record content too large.
|
||||
#error "Bad configuration - record content too large."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048
|
||||
#error Bad configuration - protected record payload too large.
|
||||
#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
|
||||
#error "Bad configuration - incoming protected record payload too large."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
|
||||
#error "Bad configuration - outgoing protected record payload too large."
|
||||
#endif
|
||||
|
||||
/* Calculate buffer sizes */
|
||||
|
||||
/* Note: Even though the TLS record header is only 5 bytes
|
||||
long, we're internally using 8 bytes to store the
|
||||
implicit sequence number. */
|
||||
#define MBEDTLS_SSL_HEADER_LEN 13
|
||||
|
||||
#define MBEDTLS_SSL_BUFFER_LEN \
|
||||
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) )
|
||||
#define MBEDTLS_SSL_IN_BUFFER_LEN \
|
||||
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
|
||||
|
||||
#define MBEDTLS_SSL_OUT_BUFFER_LEN \
|
||||
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
|
||||
|
||||
#ifdef MBEDTLS_ZLIB_SUPPORT
|
||||
/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
|
||||
#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
|
||||
( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
|
||||
? MBEDTLS_SSL_IN_BUFFER_LEN \
|
||||
: MBEDTLS_SSL_OUT_BUFFER_LEN \
|
||||
)
|
||||
#endif
|
||||
|
||||
/*
|
||||
* TLS extension flags (for extensions with outgoing ServerHello content
|
||||
|
|
|
@ -57,7 +57,7 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t hostname_len;
|
||||
|
||||
*olen = 0;
|
||||
|
@ -127,7 +127,7 @@ static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -171,7 +171,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t sig_alg_len = 0;
|
||||
const int *md;
|
||||
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
|
||||
|
@ -256,7 +256,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
unsigned char *elliptic_curve_list = p + 6;
|
||||
size_t elliptic_curve_len = 0;
|
||||
const mbedtls_ecp_curve_info *info;
|
||||
|
@ -329,7 +329,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -362,7 +362,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
int ret;
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t kkpp_len;
|
||||
|
||||
*olen = 0;
|
||||
|
@ -439,7 +439,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -472,7 +472,7 @@ static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -504,7 +504,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -538,7 +538,7 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -572,7 +572,7 @@ static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t tlen = ssl->session_negotiate->ticket_len;
|
||||
|
||||
*olen = 0;
|
||||
|
@ -616,7 +616,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t alpnlen = 0;
|
||||
const char **cur;
|
||||
|
||||
|
@ -2117,7 +2117,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
|
|||
size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
|
||||
unsigned char *p = ssl->handshake->premaster + pms_offset;
|
||||
|
||||
if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||
|
@ -2160,7 +2160,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
|
|||
if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
|
||||
p, ssl->handshake->pmslen,
|
||||
ssl->out_msg + offset + len_bytes, olen,
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
|
||||
|
@ -2926,7 +2926,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
i = 4;
|
||||
n = ssl->conf->psk_identity_len;
|
||||
|
||||
if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
|
||||
"SSL buffer too short" ) );
|
||||
|
@ -2962,7 +2962,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
*/
|
||||
n = ssl->handshake->dhm_ctx.len;
|
||||
|
||||
if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
|
||||
" or SSL buffer too short" ) );
|
||||
|
@ -2991,7 +2991,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
* ClientECDiffieHellmanPublic public;
|
||||
*/
|
||||
ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
|
||||
&ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
|
||||
&ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng );
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
@ -3032,7 +3032,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
i = 4;
|
||||
|
||||
ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
|
||||
ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
|
||||
ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng );
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
|
|
@ -1303,7 +1303,7 @@ read_record_header:
|
|||
else
|
||||
#endif
|
||||
{
|
||||
if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
|
@ -2235,7 +2235,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
int ret;
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t kkpp_len;
|
||||
|
||||
*olen = 0;
|
||||
|
@ -2342,7 +2342,7 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
|
|||
cookie_len_byte = p++;
|
||||
|
||||
if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
|
||||
&p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
|
||||
&p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
|
||||
ssl->cli_id, ssl->cli_id_len ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
|
||||
|
@ -2638,7 +2638,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
|||
size_t dn_size, total_dn_size; /* excluding length bytes */
|
||||
size_t ct_len, sa_len; /* including length bytes */
|
||||
unsigned char *buf, *p;
|
||||
const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
const mbedtls_x509_crt *crt;
|
||||
int authmode;
|
||||
|
||||
|
@ -2839,7 +2839,7 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
* ssl_write_server_key_exchange also takes care of incrementing
|
||||
* ssl->out_msglen. */
|
||||
unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
|
||||
size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
- sig_start );
|
||||
int ret = ssl->conf->f_async_resume( ssl,
|
||||
sig_start, signature_len, sig_max_len );
|
||||
|
@ -2893,7 +2893,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
ret = mbedtls_ecjpake_write_round_two(
|
||||
&ssl->handshake->ecjpake_ctx,
|
||||
ssl->out_msg + ssl->out_msglen,
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen, &len,
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng );
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
@ -3020,7 +3020,7 @@ curve_matching_done:
|
|||
if( ( ret = mbedtls_ecdh_make_params(
|
||||
&ssl->handshake->ecdh_ctx, &len,
|
||||
ssl->out_msg + ssl->out_msglen,
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen,
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
|
||||
|
@ -4171,7 +4171,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
|
|||
if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
|
||||
ssl->session_negotiate,
|
||||
ssl->out_msg + 10,
|
||||
ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
|
||||
ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
|
||||
&tlen, &lifetime ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
|
||||
|
|
|
@ -141,14 +141,24 @@ static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
|
|||
* } MaxFragmentLength;
|
||||
* and we add 0 -> extension unused
|
||||
*/
|
||||
static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
|
||||
static unsigned int ssl_mfl_code_to_length( int mfl )
|
||||
{
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
|
||||
512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */
|
||||
1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
|
||||
2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
|
||||
4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
|
||||
};
|
||||
switch( mfl )
|
||||
{
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
|
||||
return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_512:
|
||||
return 512;
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
|
||||
return 1024;
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
|
||||
return 2048;
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
|
||||
return 4096;
|
||||
default:
|
||||
return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
|
@ -956,11 +966,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
if( ssl->compress_buf == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
|
||||
ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
|
||||
ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
|
||||
if( ssl->compress_buf == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
|
||||
MBEDTLS_SSL_BUFFER_LEN ) );
|
||||
MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
}
|
||||
}
|
||||
|
@ -1297,11 +1307,11 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
|
||||
ssl->out_msg, ssl->out_msglen );
|
||||
|
||||
if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
|
||||
(unsigned) ssl->out_msglen,
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN ) );
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
|
@ -1906,14 +1916,14 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
|||
* Padding is guaranteed to be incorrect if:
|
||||
* 1. padlen >= ssl->in_msglen
|
||||
*
|
||||
* 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
|
||||
* 2. padding_idx >= MBEDTLS_SSL_IN_CONTENT_LEN +
|
||||
* ssl->transform_in->maclen
|
||||
*
|
||||
* In both cases we reset padding_idx to a safe value (0) to
|
||||
* prevent out-of-buffer reads.
|
||||
*/
|
||||
correct &= ( ssl->in_msglen >= padlen + 1 );
|
||||
correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
|
||||
correct &= ( padding_idx < MBEDTLS_SSL_IN_CONTENT_LEN +
|
||||
ssl->transform_in->maclen );
|
||||
|
||||
padding_idx *= correct;
|
||||
|
@ -2126,7 +2136,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
|
|||
ssl->transform_out->ctx_deflate.next_in = msg_pre;
|
||||
ssl->transform_out->ctx_deflate.avail_in = len_pre;
|
||||
ssl->transform_out->ctx_deflate.next_out = msg_post;
|
||||
ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - bytes_written;
|
||||
ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
|
||||
|
||||
ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
|
||||
if( ret != Z_OK )
|
||||
|
@ -2135,7 +2145,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
|
|||
return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
|
||||
}
|
||||
|
||||
ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
|
||||
ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
|
||||
ssl->transform_out->ctx_deflate.avail_out - bytes_written;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
|
||||
|
@ -2173,7 +2183,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
|
|||
ssl->transform_in->ctx_inflate.next_in = msg_pre;
|
||||
ssl->transform_in->ctx_inflate.avail_in = len_pre;
|
||||
ssl->transform_in->ctx_inflate.next_out = msg_post;
|
||||
ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_BUFFER_LEN -
|
||||
ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
|
||||
header_bytes;
|
||||
|
||||
ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
|
||||
|
@ -2183,7 +2193,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
|
|||
return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
|
||||
}
|
||||
|
||||
ssl->in_msglen = MBEDTLS_SSL_BUFFER_LEN -
|
||||
ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
|
||||
ssl->transform_in->ctx_inflate.avail_out - header_bytes;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
|
||||
|
@ -2258,7 +2268,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
|
|||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
|
||||
if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
@ -2344,7 +2354,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
|
|||
}
|
||||
else
|
||||
{
|
||||
len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
|
||||
len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
|
||||
|
||||
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
|
||||
timeout = ssl->handshake->retransmit_timeout;
|
||||
|
@ -2798,12 +2808,12 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
|
|||
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
||||
{
|
||||
/* Make room for the additional DTLS fields */
|
||||
if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 )
|
||||
if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
|
||||
"size %u, maximum %u",
|
||||
(unsigned) ( ssl->in_hslen - 4 ),
|
||||
(unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) );
|
||||
(unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
|
@ -3016,7 +3026,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
|
||||
msg_len ) );
|
||||
|
||||
if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( ssl->in_hslen > MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
|
@ -3120,7 +3130,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
|
|||
ssl->next_record_offset = new_remain - ssl->in_hdr;
|
||||
ssl->in_left = ssl->next_record_offset + remain_len;
|
||||
|
||||
if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
|
||||
if( ssl->in_left > MBEDTLS_SSL_IN_BUFFER_LEN -
|
||||
(size_t)( ssl->in_hdr - ssl->in_buf ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
|
||||
|
@ -3496,7 +3506,7 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
|
|||
ssl->conf->p_cookie,
|
||||
ssl->cli_id, ssl->cli_id_len,
|
||||
ssl->in_buf, ssl->in_left,
|
||||
ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
|
||||
ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
|
||||
|
||||
|
@ -3593,7 +3603,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
|
||||
/* Check length against the size of our buffer */
|
||||
if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
|
||||
if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
|
||||
- (size_t)( ssl->in_msg - ssl->in_buf ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
|
@ -3687,7 +3697,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||
if( ssl->transform_in == NULL )
|
||||
{
|
||||
if( ssl->in_msglen < 1 ||
|
||||
ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -3703,7 +3713,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||
|
||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
||||
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -3716,7 +3726,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||
*/
|
||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
|
||||
ssl->in_msglen > ssl->transform_in->minlen +
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
|
||||
MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -3764,7 +3774,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
|
||||
ssl->in_msg, ssl->in_msglen );
|
||||
|
||||
if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -4325,10 +4335,10 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||
while( crt != NULL )
|
||||
{
|
||||
n = crt->raw.len;
|
||||
if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
|
||||
if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
|
||||
i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
|
||||
i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
|
||||
return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
|
||||
}
|
||||
|
||||
|
@ -5662,17 +5672,23 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
|
|||
const mbedtls_ssl_config *conf )
|
||||
{
|
||||
int ret;
|
||||
const size_t len = MBEDTLS_SSL_BUFFER_LEN;
|
||||
|
||||
ssl->conf = conf;
|
||||
|
||||
/*
|
||||
* Prepare base structures
|
||||
*/
|
||||
if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL ||
|
||||
( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
|
||||
ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
|
||||
if( ssl->in_buf == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
}
|
||||
|
||||
ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
|
||||
if( ssl->out_buf == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
|
||||
mbedtls_free( ssl->in_buf );
|
||||
ssl->in_buf = NULL;
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
|
@ -5773,9 +5789,9 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
|
|||
ssl->transform_in = NULL;
|
||||
ssl->transform_out = NULL;
|
||||
|
||||
memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
|
||||
memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
|
||||
if( partial == 0 )
|
||||
memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
|
||||
memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
|
||||
|
||||
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
|
||||
if( mbedtls_ssl_hw_record_reset != NULL )
|
||||
|
@ -6100,7 +6116,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
|
|||
|
||||
/* Identity len will be encoded on two bytes */
|
||||
if( ( psk_identity_len >> 16 ) != 0 ||
|
||||
psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
@ -6401,7 +6417,7 @@ void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
|
|||
int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
|
||||
{
|
||||
if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
|
||||
mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
|
||||
{
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
@ -6679,15 +6695,15 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
|
|||
/*
|
||||
* Assume mfl_code is correct since it was checked when set
|
||||
*/
|
||||
max_len = mfl_code_to_length[ssl->conf->mfl_code];
|
||||
max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
|
||||
|
||||
/*
|
||||
* Check if a smaller max length was negotiated
|
||||
*/
|
||||
if( ssl->session_out != NULL &&
|
||||
mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
|
||||
ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
|
||||
{
|
||||
max_len = mfl_code_to_length[ssl->session_out->mfl_code];
|
||||
max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
|
||||
}
|
||||
|
||||
return max_len;
|
||||
|
@ -7241,7 +7257,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
|
|||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
|
||||
#else
|
||||
size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
if( len > max_len )
|
||||
{
|
||||
|
@ -7543,20 +7559,20 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
|
|||
|
||||
if( ssl->out_buf != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
|
||||
mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
|
||||
mbedtls_free( ssl->out_buf );
|
||||
}
|
||||
|
||||
if( ssl->in_buf != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
|
||||
mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
|
||||
mbedtls_free( ssl->in_buf );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ZLIB_SUPPORT)
|
||||
if( ssl->compress_buf != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
|
||||
mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
|
||||
mbedtls_free( ssl->compress_buf );
|
||||
}
|
||||
#endif
|
||||
|
|
Loading…
Reference in a new issue