Merge remote-tracking branch 'public/pr/536' into development
This commit is contained in:
commit
e7aeef09ee
9 changed files with 340 additions and 164 deletions
|
@ -1378,7 +1378,8 @@
|
|||
#define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
|
||||
#define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
|
||||
#define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
|
||||
#define SSL_BUFFER_LEN MBEDTLS_SSL_BUFFER_LEN
|
||||
#define SSL_BUFFER_LEN ( ( ( MBEDTLS_SSL_IN_BUFFER_LEN ) < ( MBEDTLS_SSL_OUT_BUFFER_LEN ) ) \
|
||||
? ( MBEDTLS_SSL_IN_BUFFER_LEN ) : ( MBEDTLS_SSL_OUT_BUFFER_LEN ) )
|
||||
#define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
|
||||
#define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
|
||||
#define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
|
||||
|
|
|
@ -2951,7 +2951,51 @@
|
|||
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
|
||||
|
||||
/* SSL options */
|
||||
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
|
||||
|
||||
/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
*
|
||||
* Maximum fragment length in bytes.
|
||||
*
|
||||
* Determines the size of both the incoming and outgoing TLS I/O buffers.
|
||||
*
|
||||
* Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
* will override this length by setting maximum incoming and/or outgoing
|
||||
* fragment length, respectively.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_IN_CONTENT_LEN
|
||||
*
|
||||
* Maximum incoming fragment length in bytes.
|
||||
*
|
||||
* Uncomment to set the size of the inward TLS buffer independently of the
|
||||
* outward buffer.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
*
|
||||
* Maximum outgoing fragment length in bytes.
|
||||
*
|
||||
* Uncomment to set the size of the outward TLS buffer independently of the
|
||||
* inward buffer.
|
||||
*
|
||||
* It is possible to save RAM by setting a smaller outward buffer, while keeping
|
||||
* the default inward 16384 byte buffer to conform to the TLS specification.
|
||||
*
|
||||
* The minimum required outward buffer size is determined by the handshake
|
||||
* protocol's usage. Handshaking will fail if the outward buffer is too small.
|
||||
* The specific size requirement depends on the configured ciphers and any
|
||||
* certificate data which is sent during the handshake.
|
||||
*
|
||||
* For absolute minimum RAM usage, it's best to enable
|
||||
* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
|
||||
* reduces both incoming and outgoing buffer sizes. However this is only
|
||||
* guaranteed if the other end of the connection also supports the TLS
|
||||
* max_fragment_len extension. Otherwise the connection may fail.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
|
||||
|
||||
//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
|
||||
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
|
||||
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
|
||||
|
|
|
@ -220,7 +220,7 @@
|
|||
#endif
|
||||
|
||||
/*
|
||||
* Maxium fragment length in bytes,
|
||||
* Maximum fragment length in bytes,
|
||||
* determines the size of each of the two internal I/O buffers.
|
||||
*
|
||||
* Note: the RFC defines the default size of SSL / TLS messages. If you
|
||||
|
@ -234,6 +234,14 @@
|
|||
#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
|
||||
#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
|
||||
#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#endif
|
||||
|
||||
/* \} name SECTION: Module settings */
|
||||
|
||||
/*
|
||||
|
@ -2418,7 +2426,8 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
|
|||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
/**
|
||||
* \brief Set the maximum fragment length to emit and/or negotiate
|
||||
* (Default: MBEDTLS_SSL_MAX_CONTENT_LEN, usually 2^14 bytes)
|
||||
* (Default: the smaller of MBEDTLS_SSL_IN_CONTENT_LEN and
|
||||
* MBEDTLS_SSL_OUT_CONTENT_LEN, usually 2^14 bytes)
|
||||
* (Server: set maximum fragment length to emit,
|
||||
* usually negotiated by the client during handshake
|
||||
* (Client: set maximum fragment length to emit *and*
|
||||
|
|
|
@ -143,32 +143,73 @@
|
|||
#define MBEDTLS_SSL_PADDING_ADD 0
|
||||
#endif
|
||||
|
||||
#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
|
||||
+ MBEDTLS_SSL_COMPRESSION_ADD \
|
||||
+ MBEDTLS_MAX_IV_LENGTH \
|
||||
+ MBEDTLS_SSL_MAC_ADD \
|
||||
+ MBEDTLS_SSL_PADDING_ADD \
|
||||
)
|
||||
#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
|
||||
MBEDTLS_MAX_IV_LENGTH + \
|
||||
MBEDTLS_SSL_MAC_ADD + \
|
||||
MBEDTLS_SSL_PADDING_ADD \
|
||||
)
|
||||
|
||||
#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
|
||||
( MBEDTLS_SSL_IN_CONTENT_LEN ) )
|
||||
|
||||
#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
|
||||
( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
|
||||
|
||||
/* Maximum length we can advertise as our max content length for
|
||||
RFC 6066 max_fragment_length extension negotiation purposes
|
||||
(the lesser of both sizes, if they are unequal.)
|
||||
*/
|
||||
#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
|
||||
(MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
|
||||
? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
|
||||
: ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
|
||||
)
|
||||
|
||||
/*
|
||||
* Check that we obey the standard's message size bounds
|
||||
*/
|
||||
|
||||
#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
|
||||
#error Bad configuration - record content too large.
|
||||
#error "Bad configuration - record content too large."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048
|
||||
#error Bad configuration - protected record payload too large.
|
||||
#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
|
||||
#error "Bad configuration - incoming protected record payload too large."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
|
||||
#error "Bad configuration - outgoing protected record payload too large."
|
||||
#endif
|
||||
|
||||
/* Calculate buffer sizes */
|
||||
|
||||
/* Note: Even though the TLS record header is only 5 bytes
|
||||
long, we're internally using 8 bytes to store the
|
||||
implicit sequence number. */
|
||||
#define MBEDTLS_SSL_HEADER_LEN 13
|
||||
|
||||
#define MBEDTLS_SSL_BUFFER_LEN \
|
||||
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) )
|
||||
#define MBEDTLS_SSL_IN_BUFFER_LEN \
|
||||
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
|
||||
|
||||
#define MBEDTLS_SSL_OUT_BUFFER_LEN \
|
||||
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
|
||||
|
||||
#ifdef MBEDTLS_ZLIB_SUPPORT
|
||||
/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
|
||||
#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
|
||||
( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
|
||||
? MBEDTLS_SSL_IN_BUFFER_LEN \
|
||||
: MBEDTLS_SSL_OUT_BUFFER_LEN \
|
||||
)
|
||||
#endif
|
||||
|
||||
/*
|
||||
* TLS extension flags (for extensions with outgoing ServerHello content
|
||||
|
|
|
@ -57,7 +57,7 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t hostname_len;
|
||||
|
||||
*olen = 0;
|
||||
|
@ -127,7 +127,7 @@ static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -171,7 +171,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t sig_alg_len = 0;
|
||||
const int *md;
|
||||
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
|
||||
|
@ -256,7 +256,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
unsigned char *elliptic_curve_list = p + 6;
|
||||
size_t elliptic_curve_len = 0;
|
||||
const mbedtls_ecp_curve_info *info;
|
||||
|
@ -329,7 +329,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -362,7 +362,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
int ret;
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t kkpp_len;
|
||||
|
||||
*olen = 0;
|
||||
|
@ -439,7 +439,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -472,7 +472,7 @@ static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -504,7 +504,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -538,7 +538,7 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
|
@ -572,7 +572,7 @@ static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t tlen = ssl->session_negotiate->ticket_len;
|
||||
|
||||
*olen = 0;
|
||||
|
@ -616,7 +616,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
|
|||
unsigned char *buf, size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t alpnlen = 0;
|
||||
const char **cur;
|
||||
|
||||
|
@ -2117,7 +2117,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
|
|||
size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
|
||||
unsigned char *p = ssl->handshake->premaster + pms_offset;
|
||||
|
||||
if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||
|
@ -2160,7 +2160,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
|
|||
if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
|
||||
p, ssl->handshake->pmslen,
|
||||
ssl->out_msg + offset + len_bytes, olen,
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
|
||||
|
@ -2926,7 +2926,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
i = 4;
|
||||
n = ssl->conf->psk_identity_len;
|
||||
|
||||
if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
|
||||
"SSL buffer too short" ) );
|
||||
|
@ -2962,7 +2962,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
*/
|
||||
n = ssl->handshake->dhm_ctx.len;
|
||||
|
||||
if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
|
||||
" or SSL buffer too short" ) );
|
||||
|
@ -2991,7 +2991,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
* ClientECDiffieHellmanPublic public;
|
||||
*/
|
||||
ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
|
||||
&ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
|
||||
&ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng );
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
@ -3032,7 +3032,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
i = 4;
|
||||
|
||||
ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
|
||||
ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
|
||||
ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng );
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
|
|
@ -1303,7 +1303,7 @@ read_record_header:
|
|||
else
|
||||
#endif
|
||||
{
|
||||
if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
|
@ -2235,7 +2235,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
int ret;
|
||||
unsigned char *p = buf;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
size_t kkpp_len;
|
||||
|
||||
*olen = 0;
|
||||
|
@ -2342,7 +2342,7 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
|
|||
cookie_len_byte = p++;
|
||||
|
||||
if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
|
||||
&p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
|
||||
&p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
|
||||
ssl->cli_id, ssl->cli_id_len ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
|
||||
|
@ -2638,7 +2638,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
|||
size_t dn_size, total_dn_size; /* excluding length bytes */
|
||||
size_t ct_len, sa_len; /* including length bytes */
|
||||
unsigned char *buf, *p;
|
||||
const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
const mbedtls_x509_crt *crt;
|
||||
int authmode;
|
||||
|
||||
|
@ -2839,7 +2839,7 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
* ssl_write_server_key_exchange also takes care of incrementing
|
||||
* ssl->out_msglen. */
|
||||
unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
|
||||
size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
- sig_start );
|
||||
int ret = ssl->conf->f_async_resume( ssl,
|
||||
sig_start, signature_len, sig_max_len );
|
||||
|
@ -2893,7 +2893,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
ret = mbedtls_ecjpake_write_round_two(
|
||||
&ssl->handshake->ecjpake_ctx,
|
||||
ssl->out_msg + ssl->out_msglen,
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen, &len,
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng );
|
||||
if( ret != 0 )
|
||||
{
|
||||
|
@ -3020,7 +3020,7 @@ curve_matching_done:
|
|||
if( ( ret = mbedtls_ecdh_make_params(
|
||||
&ssl->handshake->ecdh_ctx, &len,
|
||||
ssl->out_msg + ssl->out_msglen,
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen,
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
|
||||
|
@ -4171,7 +4171,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
|
|||
if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
|
||||
ssl->session_negotiate,
|
||||
ssl->out_msg + 10,
|
||||
ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
|
||||
ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
|
||||
&tlen, &lifetime ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
|
||||
|
|
|
@ -141,14 +141,24 @@ static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
|
|||
* } MaxFragmentLength;
|
||||
* and we add 0 -> extension unused
|
||||
*/
|
||||
static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
|
||||
static unsigned int ssl_mfl_code_to_length( int mfl )
|
||||
{
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
|
||||
512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */
|
||||
1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
|
||||
2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
|
||||
4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
|
||||
};
|
||||
switch( mfl )
|
||||
{
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
|
||||
return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_512:
|
||||
return 512;
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
|
||||
return 1024;
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
|
||||
return 2048;
|
||||
case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
|
||||
return 4096;
|
||||
default:
|
||||
return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
|
@ -956,11 +966,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
if( ssl->compress_buf == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
|
||||
ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
|
||||
ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
|
||||
if( ssl->compress_buf == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
|
||||
MBEDTLS_SSL_BUFFER_LEN ) );
|
||||
MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
}
|
||||
}
|
||||
|
@ -1297,11 +1307,11 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
|
||||
ssl->out_msg, ssl->out_msglen );
|
||||
|
||||
if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
|
||||
(unsigned) ssl->out_msglen,
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN ) );
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
|
@ -1906,14 +1916,14 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
|||
* Padding is guaranteed to be incorrect if:
|
||||
* 1. padlen >= ssl->in_msglen
|
||||
*
|
||||
* 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
|
||||
* 2. padding_idx >= MBEDTLS_SSL_IN_CONTENT_LEN +
|
||||
* ssl->transform_in->maclen
|
||||
*
|
||||
* In both cases we reset padding_idx to a safe value (0) to
|
||||
* prevent out-of-buffer reads.
|
||||
*/
|
||||
correct &= ( ssl->in_msglen >= padlen + 1 );
|
||||
correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
|
||||
correct &= ( padding_idx < MBEDTLS_SSL_IN_CONTENT_LEN +
|
||||
ssl->transform_in->maclen );
|
||||
|
||||
padding_idx *= correct;
|
||||
|
@ -2126,7 +2136,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
|
|||
ssl->transform_out->ctx_deflate.next_in = msg_pre;
|
||||
ssl->transform_out->ctx_deflate.avail_in = len_pre;
|
||||
ssl->transform_out->ctx_deflate.next_out = msg_post;
|
||||
ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - bytes_written;
|
||||
ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
|
||||
|
||||
ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
|
||||
if( ret != Z_OK )
|
||||
|
@ -2135,7 +2145,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
|
|||
return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
|
||||
}
|
||||
|
||||
ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
|
||||
ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
|
||||
ssl->transform_out->ctx_deflate.avail_out - bytes_written;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
|
||||
|
@ -2173,7 +2183,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
|
|||
ssl->transform_in->ctx_inflate.next_in = msg_pre;
|
||||
ssl->transform_in->ctx_inflate.avail_in = len_pre;
|
||||
ssl->transform_in->ctx_inflate.next_out = msg_post;
|
||||
ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_BUFFER_LEN -
|
||||
ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
|
||||
header_bytes;
|
||||
|
||||
ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
|
||||
|
@ -2183,7 +2193,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
|
|||
return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
|
||||
}
|
||||
|
||||
ssl->in_msglen = MBEDTLS_SSL_BUFFER_LEN -
|
||||
ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
|
||||
ssl->transform_in->ctx_inflate.avail_out - header_bytes;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
|
||||
|
@ -2258,7 +2268,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
|
|||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
|
||||
if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
@ -2344,7 +2354,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
|
|||
}
|
||||
else
|
||||
{
|
||||
len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
|
||||
len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
|
||||
|
||||
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
|
||||
timeout = ssl->handshake->retransmit_timeout;
|
||||
|
@ -2798,12 +2808,12 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
|
|||
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
||||
{
|
||||
/* Make room for the additional DTLS fields */
|
||||
if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 )
|
||||
if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
|
||||
"size %u, maximum %u",
|
||||
(unsigned) ( ssl->in_hslen - 4 ),
|
||||
(unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) );
|
||||
(unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
|
@ -3016,7 +3026,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
|
||||
msg_len ) );
|
||||
|
||||
if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( ssl->in_hslen > MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
|
@ -3120,7 +3130,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
|
|||
ssl->next_record_offset = new_remain - ssl->in_hdr;
|
||||
ssl->in_left = ssl->next_record_offset + remain_len;
|
||||
|
||||
if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
|
||||
if( ssl->in_left > MBEDTLS_SSL_IN_BUFFER_LEN -
|
||||
(size_t)( ssl->in_hdr - ssl->in_buf ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
|
||||
|
@ -3496,7 +3506,7 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
|
|||
ssl->conf->p_cookie,
|
||||
ssl->cli_id, ssl->cli_id_len,
|
||||
ssl->in_buf, ssl->in_left,
|
||||
ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
|
||||
ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
|
||||
|
||||
|
@ -3593,7 +3603,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
|
||||
/* Check length against the size of our buffer */
|
||||
if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
|
||||
if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
|
||||
- (size_t)( ssl->in_msg - ssl->in_buf ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
|
@ -3687,7 +3697,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||
if( ssl->transform_in == NULL )
|
||||
{
|
||||
if( ssl->in_msglen < 1 ||
|
||||
ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -3703,7 +3713,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||
|
||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
||||
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -3716,7 +3726,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||
*/
|
||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
|
||||
ssl->in_msglen > ssl->transform_in->minlen +
|
||||
MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
|
||||
MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -3764,7 +3774,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
|
||||
ssl->in_msg, ssl->in_msglen );
|
||||
|
||||
if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -4325,10 +4335,10 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||
while( crt != NULL )
|
||||
{
|
||||
n = crt->raw.len;
|
||||
if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
|
||||
if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
|
||||
i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
|
||||
i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
|
||||
return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
|
||||
}
|
||||
|
||||
|
@ -5662,17 +5672,23 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
|
|||
const mbedtls_ssl_config *conf )
|
||||
{
|
||||
int ret;
|
||||
const size_t len = MBEDTLS_SSL_BUFFER_LEN;
|
||||
|
||||
ssl->conf = conf;
|
||||
|
||||
/*
|
||||
* Prepare base structures
|
||||
*/
|
||||
if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL ||
|
||||
( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
|
||||
ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
|
||||
if( ssl->in_buf == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
}
|
||||
|
||||
ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
|
||||
if( ssl->out_buf == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
|
||||
mbedtls_free( ssl->in_buf );
|
||||
ssl->in_buf = NULL;
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
|
@ -5773,9 +5789,9 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
|
|||
ssl->transform_in = NULL;
|
||||
ssl->transform_out = NULL;
|
||||
|
||||
memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
|
||||
memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
|
||||
if( partial == 0 )
|
||||
memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
|
||||
memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
|
||||
|
||||
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
|
||||
if( mbedtls_ssl_hw_record_reset != NULL )
|
||||
|
@ -6100,7 +6116,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
|
|||
|
||||
/* Identity len will be encoded on two bytes */
|
||||
if( ( psk_identity_len >> 16 ) != 0 ||
|
||||
psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
@ -6401,7 +6417,7 @@ void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
|
|||
int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
|
||||
{
|
||||
if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
|
||||
mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
|
||||
{
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
@ -6679,15 +6695,15 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
|
|||
/*
|
||||
* Assume mfl_code is correct since it was checked when set
|
||||
*/
|
||||
max_len = mfl_code_to_length[ssl->conf->mfl_code];
|
||||
max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
|
||||
|
||||
/*
|
||||
* Check if a smaller max length was negotiated
|
||||
*/
|
||||
if( ssl->session_out != NULL &&
|
||||
mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
|
||||
ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
|
||||
{
|
||||
max_len = mfl_code_to_length[ssl->session_out->mfl_code];
|
||||
max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
|
||||
}
|
||||
|
||||
return max_len;
|
||||
|
@ -7249,7 +7265,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
|
|||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
|
||||
#else
|
||||
size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
if( len > max_len )
|
||||
{
|
||||
|
@ -7562,20 +7578,20 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
|
|||
|
||||
if( ssl->out_buf != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
|
||||
mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
|
||||
mbedtls_free( ssl->out_buf );
|
||||
}
|
||||
|
||||
if( ssl->in_buf != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
|
||||
mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
|
||||
mbedtls_free( ssl->in_buf );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ZLIB_SUPPORT)
|
||||
if( ssl->compress_buf != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
|
||||
mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
|
||||
mbedtls_free( ssl->compress_buf );
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -526,6 +526,28 @@ tests/ssl-opt.sh -f RSA
|
|||
msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
|
||||
tests/compat.sh -t RSA
|
||||
|
||||
msg "build: small SSL_OUT_CONTENT_LEN (ASan build)"
|
||||
cleanup
|
||||
cp "$CONFIG_H" "$CONFIG_BAK"
|
||||
scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384
|
||||
scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
|
||||
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
|
||||
make
|
||||
|
||||
msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests"
|
||||
if_build_succeeded tests/ssl-opt.sh -f "Max fragment\|Large packet"
|
||||
|
||||
msg "build: small SSL_IN_CONTENT_LEN (ASan build)"
|
||||
cleanup
|
||||
cp "$CONFIG_H" "$CONFIG_BAK"
|
||||
scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 4096
|
||||
scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 16384
|
||||
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
|
||||
make
|
||||
|
||||
msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests"
|
||||
if_build_succeeded tests/ssl-opt.sh -f "Max fragment"
|
||||
|
||||
msg "build: cmake, full config, clang" # ~ 50s
|
||||
cleanup
|
||||
cp "$CONFIG_H" "$CONFIG_BAK"
|
||||
|
@ -640,6 +662,7 @@ scripts/config.pl unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
|
|||
scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
|
||||
make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib
|
||||
|
||||
# Run max fragment length tests with MFL disabled
|
||||
msg "build: default config except MFL extension (ASan build)" # ~ 30s
|
||||
cleanup
|
||||
cp "$CONFIG_H" "$CONFIG_BAK"
|
||||
|
@ -650,6 +673,18 @@ make
|
|||
msg "test: ssl-opt.sh, MFL-related tests"
|
||||
if_build_succeeded tests/ssl-opt.sh -f "Max fragment length"
|
||||
|
||||
msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)"
|
||||
cleanup
|
||||
cp "$CONFIG_H" "$CONFIG_BAK"
|
||||
scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384
|
||||
scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
|
||||
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
|
||||
make
|
||||
|
||||
msg "test: MFL tests (disabled MFL extension case) & large packet tests"
|
||||
if_build_succeeded tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
|
||||
|
||||
msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
|
||||
cleanup
|
||||
cp "$CONFIG_H" "$CONFIG_BAK"
|
||||
|
|
184
tests/ssl-opt.sh
184
tests/ssl-opt.sh
|
@ -21,6 +21,11 @@
|
|||
|
||||
set -u
|
||||
|
||||
if cd $( dirname $0 ); then :; else
|
||||
echo "cd $( dirname $0 ) failed" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# default values, can be overriden by the environment
|
||||
: ${P_SRV:=../programs/ssl/ssl_server2}
|
||||
: ${P_CLI:=../programs/ssl/ssl_client2}
|
||||
|
@ -178,6 +183,25 @@ requires_ipv6() {
|
|||
fi
|
||||
}
|
||||
|
||||
# Calculate the input & output maximum content lengths set in the config
|
||||
MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
|
||||
MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
|
||||
MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
|
||||
|
||||
if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
|
||||
MAX_CONTENT_LEN="$MAX_IN_LEN"
|
||||
fi
|
||||
if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
|
||||
MAX_CONTENT_LEN="$MAX_OUT_LEN"
|
||||
fi
|
||||
|
||||
# skip the next test if the SSL output buffer is less than 16KB
|
||||
requires_full_size_output_buffer() {
|
||||
if [ "$MAX_OUT_LEN" -ne 16384 ]; then
|
||||
SKIP_NEXT="YES"
|
||||
fi
|
||||
}
|
||||
|
||||
# skip the next test if valgrind is in use
|
||||
not_with_valgrind() {
|
||||
if [ "$MEMCHECK" -gt 0 ]; then
|
||||
|
@ -626,11 +650,6 @@ cleanup() {
|
|||
# MAIN
|
||||
#
|
||||
|
||||
if cd $( dirname $0 ); then :; else
|
||||
echo "cd $( dirname $0 ) failed" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
get_options "$@"
|
||||
|
||||
# sanity checks, avoid an avalanche of errors
|
||||
|
@ -1416,28 +1435,22 @@ run_test "Session resume using cache: openssl server" \
|
|||
|
||||
# Tests for Max Fragment Length extension
|
||||
|
||||
MAX_CONTENT_LEN_EXPECT='16384'
|
||||
MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
|
||||
|
||||
if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
|
||||
printf "The ${CONFIG_H} file contains a value for the configuration of\n"
|
||||
printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
|
||||
printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
|
||||
printf "\n"
|
||||
printf "The tests assume this value and if it changes, the tests in this\n"
|
||||
printf "script should also be adjusted.\n"
|
||||
printf "\n"
|
||||
|
||||
if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
|
||||
printf "${CONFIG_H} defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $MAX_CONTENT_LEN -ne 16384 ]; then
|
||||
printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
|
||||
fi
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
run_test "Max fragment length: enabled, default" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI debug_level=3" \
|
||||
0 \
|
||||
-c "Maximum fragment length is 16384" \
|
||||
-s "Maximum fragment length is 16384" \
|
||||
-c "Maximum fragment length is $MAX_CONTENT_LEN" \
|
||||
-s "Maximum fragment length is $MAX_CONTENT_LEN" \
|
||||
-C "client hello, adding max_fragment_length extension" \
|
||||
-S "found max fragment length extension" \
|
||||
-S "server hello, max_fragment_length extension" \
|
||||
|
@ -1446,46 +1459,50 @@ run_test "Max fragment length: enabled, default" \
|
|||
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
run_test "Max fragment length: enabled, default, larger message" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI debug_level=3 request_size=16385" \
|
||||
"$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
|
||||
0 \
|
||||
-c "Maximum fragment length is 16384" \
|
||||
-s "Maximum fragment length is 16384" \
|
||||
-c "Maximum fragment length is $MAX_CONTENT_LEN" \
|
||||
-s "Maximum fragment length is $MAX_CONTENT_LEN" \
|
||||
-C "client hello, adding max_fragment_length extension" \
|
||||
-S "found max fragment length extension" \
|
||||
-S "server hello, max_fragment_length extension" \
|
||||
-C "found max_fragment_length extension" \
|
||||
-c "16385 bytes written in 2 fragments" \
|
||||
-s "16384 bytes read" \
|
||||
-c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
|
||||
-s "$MAX_CONTENT_LEN bytes read" \
|
||||
-s "1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
run_test "Max fragment length, DTLS: enabled, default, larger message" \
|
||||
"$P_SRV debug_level=3 dtls=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 request_size=16385" \
|
||||
"$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
|
||||
1 \
|
||||
-c "Maximum fragment length is 16384" \
|
||||
-s "Maximum fragment length is 16384" \
|
||||
-c "Maximum fragment length is $MAX_CONTENT_LEN" \
|
||||
-s "Maximum fragment length is $MAX_CONTENT_LEN" \
|
||||
-C "client hello, adding max_fragment_length extension" \
|
||||
-S "found max fragment length extension" \
|
||||
-S "server hello, max_fragment_length extension" \
|
||||
-C "found max_fragment_length extension" \
|
||||
-c "fragment larger than.*maximum "
|
||||
|
||||
# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
|
||||
# (session fragment length will be 16384 regardless of mbedtls
|
||||
# content length configuration.)
|
||||
|
||||
requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
run_test "Max fragment length: disabled, larger message" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI debug_level=3 request_size=16385" \
|
||||
"$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
|
||||
0 \
|
||||
-C "Maximum fragment length is 16384" \
|
||||
-S "Maximum fragment length is 16384" \
|
||||
-c "16385 bytes written in 2 fragments" \
|
||||
-s "16384 bytes read" \
|
||||
-c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
|
||||
-s "$MAX_CONTENT_LEN bytes read" \
|
||||
-s "1 bytes read"
|
||||
|
||||
requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
run_test "Max fragment length DTLS: disabled, larger message" \
|
||||
"$P_SRV debug_level=3 dtls=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 request_size=16385" \
|
||||
"$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
|
||||
1 \
|
||||
-C "Maximum fragment length is 16384" \
|
||||
-S "Maximum fragment length is 16384" \
|
||||
|
@ -1508,7 +1525,7 @@ run_test "Max fragment length: used by server" \
|
|||
"$P_SRV debug_level=3 max_frag_len=4096" \
|
||||
"$P_CLI debug_level=3" \
|
||||
0 \
|
||||
-c "Maximum fragment length is 16384" \
|
||||
-c "Maximum fragment length is $MAX_CONTENT_LEN" \
|
||||
-s "Maximum fragment length is 4096" \
|
||||
-C "client hello, adding max_fragment_length extension" \
|
||||
-S "found max fragment length extension" \
|
||||
|
@ -2376,6 +2393,7 @@ if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
requires_full_size_output_buffer
|
||||
run_test "Authentication: server max_int chain, client default" \
|
||||
"$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
|
||||
key_file=data_files/dir-maxpath/09.key" \
|
||||
|
@ -2383,6 +2401,7 @@ run_test "Authentication: server max_int chain, client default" \
|
|||
0 \
|
||||
-C "X509 - A fatal error occured"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
run_test "Authentication: server max_int+1 chain, client default" \
|
||||
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
|
||||
key_file=data_files/dir-maxpath/10.key" \
|
||||
|
@ -2390,6 +2409,7 @@ run_test "Authentication: server max_int+1 chain, client default" \
|
|||
1 \
|
||||
-c "X509 - A fatal error occured"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
run_test "Authentication: server max_int+1 chain, client optional" \
|
||||
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
|
||||
key_file=data_files/dir-maxpath/10.key" \
|
||||
|
@ -2398,6 +2418,7 @@ run_test "Authentication: server max_int+1 chain, client optional" \
|
|||
1 \
|
||||
-c "X509 - A fatal error occured"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
run_test "Authentication: server max_int+1 chain, client none" \
|
||||
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
|
||||
key_file=data_files/dir-maxpath/10.key" \
|
||||
|
@ -2406,6 +2427,7 @@ run_test "Authentication: server max_int+1 chain, client none" \
|
|||
0 \
|
||||
-C "X509 - A fatal error occured"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
run_test "Authentication: client max_int+1 chain, server default" \
|
||||
"$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
|
||||
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
|
||||
|
@ -2413,6 +2435,7 @@ run_test "Authentication: client max_int+1 chain, server default" \
|
|||
0 \
|
||||
-S "X509 - A fatal error occured"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
run_test "Authentication: client max_int+1 chain, server optional" \
|
||||
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
|
||||
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
|
||||
|
@ -2420,6 +2443,7 @@ run_test "Authentication: client max_int+1 chain, server optional" \
|
|||
1 \
|
||||
-s "X509 - A fatal error occured"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
run_test "Authentication: client max_int+1 chain, server required" \
|
||||
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
|
||||
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
|
||||
|
@ -2427,6 +2451,7 @@ run_test "Authentication: client max_int+1 chain, server required" \
|
|||
1 \
|
||||
-s "X509 - A fatal error occured"
|
||||
|
||||
requires_full_size_output_buffer
|
||||
run_test "Authentication: client max_int chain, server required" \
|
||||
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
|
||||
"$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
|
||||
|
@ -3970,14 +3995,19 @@ run_test "SSLv3 with extensions, server side" \
|
|||
|
||||
# Test for large packets
|
||||
|
||||
# How many fragments do we expect to write $1 bytes?
|
||||
fragments_for_write() {
|
||||
echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
|
||||
}
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
||||
run_test "Large packet SSLv3 BlockCipher" \
|
||||
"$P_SRV min_version=ssl3" \
|
||||
"$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
||||
run_test "Large packet SSLv3 StreamCipher" \
|
||||
|
@ -3985,23 +4015,23 @@ run_test "Large packet SSLv3 StreamCipher" \
|
|||
"$P_CLI request_size=16384 force_version=ssl3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.0 BlockCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.0 BlockCipher, without EtM" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
|
||||
|
@ -4009,8 +4039,8 @@ run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
|
||||
|
@ -4018,21 +4048,21 @@ run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.0 StreamCipher" \
|
||||
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
"$P_CLI request_size=16384 force_version=tls1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.0 StreamCipher, without EtM" \
|
||||
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
"$P_CLI request_size=16384 force_version=tls1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
|
||||
|
@ -4040,7 +4070,7 @@ run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
|
||||
|
@ -4048,23 +4078,23 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.1 BlockCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.1 BlockCipher, without EtM" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
|
||||
|
@ -4072,7 +4102,7 @@ run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
|
||||
|
@ -4080,23 +4110,23 @@ run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.1 StreamCipher" \
|
||||
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.1 StreamCipher, without EtM" \
|
||||
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
|
||||
|
@ -4104,7 +4134,7 @@ run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
|
||||
|
@ -4112,31 +4142,31 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1_1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
|
||||
|
@ -4144,7 +4174,7 @@ run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
|
||||
|
@ -4152,23 +4182,23 @@ run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 StreamCipher" \
|
||||
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 StreamCipher, without EtM" \
|
||||
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
|
||||
|
@ -4176,7 +4206,7 @@ run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
|
||||
|
@ -4184,24 +4214,24 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
|
|||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 AEAD" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-c "16384 bytes written in 1 fragments" \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
# Tests of asynchronous private key support in SSL
|
||||
|
||||
|
|
Loading…
Reference in a new issue