From 95d516f319ccb5419dbcca2bd1ce69b494254174 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 4 May 2021 18:36:56 +0100 Subject: [PATCH 1/2] Remove MBEDTLS_SSL_MAX_CONTENT_LEN option Signed-off-by: David Horstmann --- ChangeLog.d/remove-max-content-len.txt | 4 ++ configs/config-ccm-psk-tls1_2.h | 3 +- configs/config-suite-b.h | 3 +- .../remove-max-content-len.md | 10 +++++ include/mbedtls/config.h | 38 +------------------ include/mbedtls/ssl.h | 10 ++--- library/ssl_misc.h | 16 +++----- library/ssl_tls.c | 2 +- programs/ssl/ssl_server2.c | 6 ++- programs/test/query_config.c | 8 ---- tests/ssl-opt.sh | 11 ++++-- 11 files changed, 42 insertions(+), 69 deletions(-) create mode 100644 ChangeLog.d/remove-max-content-len.txt create mode 100644 docs/3.0-migration-guide.d/remove-max-content-len.md diff --git a/ChangeLog.d/remove-max-content-len.txt b/ChangeLog.d/remove-max-content-len.txt new file mode 100644 index 000000000..b7607e6c6 --- /dev/null +++ b/ChangeLog.d/remove-max-content-len.txt @@ -0,0 +1,4 @@ +Removals + * Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since + MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace + it. Fixes #4362. diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index c58d150d9..a3662d895 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -79,7 +79,8 @@ * both ends of the connection! (See comments in "mbedtls/ssl.h".) * The optimal size here depends on the typical size of records. */ -#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024 +#define MBEDTLS_SSL_IN_CONTENT_LEN 1024 +#define MBEDTLS_SSL_OUT_CONTENT_LEN 1024 #include "mbedtls/check_config.h" diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 7cb566c1b..f1c809e67 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -107,7 +107,8 @@ * The minimum size here depends on the certificate chain used as well as the * typical size of records. */ -#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024 +#define MBEDTLS_SSL_IN_CONTENT_LEN 1024 +#define MBEDTLS_SSL_OUT_CONTENT_LEN 1024 #include "mbedtls/check_config.h" diff --git a/docs/3.0-migration-guide.d/remove-max-content-len.md b/docs/3.0-migration-guide.d/remove-max-content-len.md new file mode 100644 index 000000000..40c7d539f --- /dev/null +++ b/docs/3.0-migration-guide.d/remove-max-content-len.md @@ -0,0 +1,10 @@ +Remove the `MBEDTLS_SSL_MAX_CONTENT_LEN` configuration option +------------------------------------------------------------- + +This affects users who use the `MBEDTLS_SSL_MAX_CONTENT_LEN` option to +set the maximum length of incoming and outgoing plaintext fragments, +which can save memory by reducing the size of the TLS I/O buffers. + +This option is replaced by the more fine-grained options +`MBEDTLS_SSL_IN_CONTENT_LEN` and `MBEDTLS_SSL_OUT_CONTENT_LEN` that set +the maximum incoming and outgoing plaintext fragment lengths, respectively. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 603d985ae..6714db33f 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3531,32 +3531,6 @@ /* SSL options */ -/** \def MBEDTLS_SSL_MAX_CONTENT_LEN - * - * Maximum length (in bytes) of incoming and outgoing plaintext fragments. - * - * This determines the size of both the incoming and outgoing TLS I/O buffers - * in such a way that both are capable of holding the specified amount of - * plaintext data, regardless of the protection mechanism used. - * - * To configure incoming and outgoing I/O buffers separately, use - * #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN, - * which overwrite the value set by this option. - * - * \note When using a value less than the default of 16KB on the client, it is - * recommended to use the Maximum Fragment Length (MFL) extension to - * inform the server about this limitation. On the server, there - * is no supported, standardized way of informing the client about - * restriction on the maximum size of incoming messages, and unless - * the limitation has been communicated by other means, it is recommended - * to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN - * while keeping the default value of 16KB for the incoming buffer. - * - * Uncomment to set the maximum plaintext size of both - * incoming and outgoing I/O buffers. - */ -//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 - /** \def MBEDTLS_SSL_IN_CONTENT_LEN * * Maximum length (in bytes) of incoming plaintext fragments. @@ -3565,9 +3539,6 @@ * that it is capable of holding the specified amount of plaintext data, * regardless of the protection mechanism used. * - * If this option is undefined, it inherits its value from - * #MBEDTLS_SSL_MAX_CONTENT_LEN. - * * \note When using a value less than the default of 16KB on the client, it is * recommended to use the Maximum Fragment Length (MFL) extension to * inform the server about this limitation. On the server, there @@ -3577,8 +3548,7 @@ * to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN * while keeping the default value of 16KB for the incoming buffer. * - * Uncomment to set the maximum plaintext size of the incoming I/O buffer - * independently of the outgoing I/O buffer. + * Uncomment to set the maximum plaintext size of the incoming I/O buffer. */ //#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 @@ -3637,9 +3607,6 @@ * that it is capable of holding the specified amount of plaintext data, * regardless of the protection mechanism used. * - * If this option undefined, it inherits its value from - * #MBEDTLS_SSL_MAX_CONTENT_LEN. - * * It is possible to save RAM by setting a smaller outward buffer, while keeping * the default inward 16384 byte buffer to conform to the TLS specification. * @@ -3648,8 +3615,7 @@ * The specific size requirement depends on the configured ciphers and any * certificate data which is sent during the handshake. * - * Uncomment to set the maximum plaintext size of the outgoing I/O buffer - * independently of the incoming I/O buffer. + * Uncomment to set the maximum plaintext size of the outgoing I/O buffer. */ //#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 40814e660..9e750f7af 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -236,16 +236,12 @@ * if you're using the Max Fragment Length extension and you know all your * peers are using it too! */ -#if !defined(MBEDTLS_SSL_MAX_CONTENT_LEN) -#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */ -#endif - #if !defined(MBEDTLS_SSL_IN_CONTENT_LEN) -#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN +#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 #endif #if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN) -#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN +#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 #endif /* @@ -3619,7 +3615,7 @@ size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl ); /** * \brief Return the maximum fragment length (payload, in bytes) for * the input buffer. This is the negotiated maximum fragment - * length, or, if there is none, MBEDTLS_SSL_MAX_CONTENT_LEN. + * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. * If it is not defined either, the value is 2^14. This function * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). * diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 9ac48c757..9b3f4cd15 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -213,23 +213,19 @@ * Check that we obey the standard's message size bounds */ -#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384 -#error "Bad configuration - record content too large." +#if MBEDTLS_SSL_IN_CONTENT_LEN > 16384 +#error "Bad configuration - incoming record content too large." #endif -#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN -#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN." +#if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384 +#error "Bad configuration - outgoing record content too large." #endif -#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN -#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN." -#endif - -#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048 +#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048 #error "Bad configuration - incoming protected record payload too large." #endif -#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048 +#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048 #error "Bad configuration - outgoing protected record payload too large." #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bc2f269a9..614bb046e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4646,7 +4646,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl ) { - size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN; + size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; size_t read_mfl; /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 8f97541af..0b89b5573 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1572,13 +1572,15 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "buffer_size" ) == 0 ) { opt.buffer_size = atoi( q ); - if( opt.buffer_size < 1 || opt.buffer_size > MBEDTLS_SSL_MAX_CONTENT_LEN + 1 ) + if( opt.buffer_size < 1 || + ( opt.buffer_size > MBEDTLS_SSL_IN_CONTENT_LEN + 1 + && opt.buffer_size > MBEDTLS_SSL_OUT_CONTENT_LEN + 1 ) ) goto usage; } else if( strcmp( p, "response_size" ) == 0 ) { opt.response_size = atoi( q ); - if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_MAX_CONTENT_LEN ) + if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_OUT_CONTENT_LEN ) goto usage; if( opt.buffer_size < opt.response_size ) opt.buffer_size = opt.response_size; diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 450e2fbbf..c6c4d1f04 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -2595,14 +2595,6 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES */ -#if defined(MBEDTLS_SSL_MAX_CONTENT_LEN) - if( strcmp( "MBEDTLS_SSL_MAX_CONTENT_LEN", config ) == 0 ) - { - MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_MAX_CONTENT_LEN ); - return( 0 ); - } -#endif /* MBEDTLS_SSL_MAX_CONTENT_LEN */ - #if defined(MBEDTLS_SSL_IN_CONTENT_LEN) if( strcmp( "MBEDTLS_SSL_IN_CONTENT_LEN", config ) == 0 ) { diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 267b56446..80dfa0a92 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -374,7 +374,7 @@ requires_not_i686() { } # Calculate the input & output maximum content lengths set in the config -MAX_CONTENT_LEN=$( ../scripts/config.py get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384") +MAX_CONTENT_LEN=16384 MAX_IN_LEN=$( ../scripts/config.py get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN") MAX_OUT_LEN=$( ../scripts/config.py get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN") @@ -3014,8 +3014,13 @@ run_test "Session resume using cache, DTLS: openssl server" \ # Tests for Max Fragment Length extension -if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then - printf '%s defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}" +if [ "$MAX_IN_LEN" -lt "4096" ]; then + printf '%s defines MBEDTLS_SSL_IN_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}" + exit 1 +fi + +if [ "$MAX_OUT_LEN" -lt "4096" ]; then + printf '%s defines MBEDTLS_SSL_OUT_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}" exit 1 fi From fba138a08a6fe0c4ed63073ffa91d2f1cff03595 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 11 May 2021 15:23:56 +0100 Subject: [PATCH 2/2] Remove buffer_size maximum from ssl_server2.c Signed-off-by: David Horstmann --- programs/ssl/ssl_server2.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 0b89b5573..fa733c46a 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -451,7 +451,7 @@ int main( void ) " server_port=%%d default: 4433\n" \ " debug_level=%%d default: 0 (disabled)\n" \ " buffer_size=%%d default: 200 \n" \ - " (minimum: 1, max: 16385)\n" \ + " (minimum: 1)\n" \ " response_size=%%d default: about 152 (basic response)\n" \ " (minimum: 0, max: 16384)\n" \ " increases buffer_size if bigger\n"\ @@ -1572,9 +1572,7 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "buffer_size" ) == 0 ) { opt.buffer_size = atoi( q ); - if( opt.buffer_size < 1 || - ( opt.buffer_size > MBEDTLS_SSL_IN_CONTENT_LEN + 1 - && opt.buffer_size > MBEDTLS_SSL_OUT_CONTENT_LEN + 1 ) ) + if( opt.buffer_size < 1 ) goto usage; } else if( strcmp( p, "response_size" ) == 0 )