Merge pull request #4458 from davidhorstmann-arm/remove-max-content-len
Remove MBEDTLS_SSL_MAX_CONTENT_LEN option
This commit is contained in:
commit
fdcde47f36
11 changed files with 41 additions and 70 deletions
4
ChangeLog.d/remove-max-content-len.txt
Normal file
4
ChangeLog.d/remove-max-content-len.txt
Normal file
|
@ -0,0 +1,4 @@
|
|||
Removals
|
||||
* Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since
|
||||
MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace
|
||||
it. Fixes #4362.
|
|
@ -79,7 +79,8 @@
|
|||
* both ends of the connection! (See comments in "mbedtls/ssl.h".)
|
||||
* The optimal size here depends on the typical size of records.
|
||||
*/
|
||||
#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
|
||||
#define MBEDTLS_SSL_IN_CONTENT_LEN 1024
|
||||
#define MBEDTLS_SSL_OUT_CONTENT_LEN 1024
|
||||
|
||||
#include "mbedtls/check_config.h"
|
||||
|
||||
|
|
|
@ -107,7 +107,8 @@
|
|||
* The minimum size here depends on the certificate chain used as well as the
|
||||
* typical size of records.
|
||||
*/
|
||||
#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
|
||||
#define MBEDTLS_SSL_IN_CONTENT_LEN 1024
|
||||
#define MBEDTLS_SSL_OUT_CONTENT_LEN 1024
|
||||
|
||||
#include "mbedtls/check_config.h"
|
||||
|
||||
|
|
10
docs/3.0-migration-guide.d/remove-max-content-len.md
Normal file
10
docs/3.0-migration-guide.d/remove-max-content-len.md
Normal file
|
@ -0,0 +1,10 @@
|
|||
Remove the `MBEDTLS_SSL_MAX_CONTENT_LEN` configuration option
|
||||
-------------------------------------------------------------
|
||||
|
||||
This affects users who use the `MBEDTLS_SSL_MAX_CONTENT_LEN` option to
|
||||
set the maximum length of incoming and outgoing plaintext fragments,
|
||||
which can save memory by reducing the size of the TLS I/O buffers.
|
||||
|
||||
This option is replaced by the more fine-grained options
|
||||
`MBEDTLS_SSL_IN_CONTENT_LEN` and `MBEDTLS_SSL_OUT_CONTENT_LEN` that set
|
||||
the maximum incoming and outgoing plaintext fragment lengths, respectively.
|
|
@ -3531,32 +3531,6 @@
|
|||
|
||||
/* SSL options */
|
||||
|
||||
/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
*
|
||||
* Maximum length (in bytes) of incoming and outgoing plaintext fragments.
|
||||
*
|
||||
* This determines the size of both the incoming and outgoing TLS I/O buffers
|
||||
* in such a way that both are capable of holding the specified amount of
|
||||
* plaintext data, regardless of the protection mechanism used.
|
||||
*
|
||||
* To configure incoming and outgoing I/O buffers separately, use
|
||||
* #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
|
||||
* which overwrite the value set by this option.
|
||||
*
|
||||
* \note When using a value less than the default of 16KB on the client, it is
|
||||
* recommended to use the Maximum Fragment Length (MFL) extension to
|
||||
* inform the server about this limitation. On the server, there
|
||||
* is no supported, standardized way of informing the client about
|
||||
* restriction on the maximum size of incoming messages, and unless
|
||||
* the limitation has been communicated by other means, it is recommended
|
||||
* to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
* while keeping the default value of 16KB for the incoming buffer.
|
||||
*
|
||||
* Uncomment to set the maximum plaintext size of both
|
||||
* incoming and outgoing I/O buffers.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_IN_CONTENT_LEN
|
||||
*
|
||||
* Maximum length (in bytes) of incoming plaintext fragments.
|
||||
|
@ -3565,9 +3539,6 @@
|
|||
* that it is capable of holding the specified amount of plaintext data,
|
||||
* regardless of the protection mechanism used.
|
||||
*
|
||||
* If this option is undefined, it inherits its value from
|
||||
* #MBEDTLS_SSL_MAX_CONTENT_LEN.
|
||||
*
|
||||
* \note When using a value less than the default of 16KB on the client, it is
|
||||
* recommended to use the Maximum Fragment Length (MFL) extension to
|
||||
* inform the server about this limitation. On the server, there
|
||||
|
@ -3577,8 +3548,7 @@
|
|||
* to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
* while keeping the default value of 16KB for the incoming buffer.
|
||||
*
|
||||
* Uncomment to set the maximum plaintext size of the incoming I/O buffer
|
||||
* independently of the outgoing I/O buffer.
|
||||
* Uncomment to set the maximum plaintext size of the incoming I/O buffer.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
|
||||
|
||||
|
@ -3637,9 +3607,6 @@
|
|||
* that it is capable of holding the specified amount of plaintext data,
|
||||
* regardless of the protection mechanism used.
|
||||
*
|
||||
* If this option undefined, it inherits its value from
|
||||
* #MBEDTLS_SSL_MAX_CONTENT_LEN.
|
||||
*
|
||||
* It is possible to save RAM by setting a smaller outward buffer, while keeping
|
||||
* the default inward 16384 byte buffer to conform to the TLS specification.
|
||||
*
|
||||
|
@ -3648,8 +3615,7 @@
|
|||
* The specific size requirement depends on the configured ciphers and any
|
||||
* certificate data which is sent during the handshake.
|
||||
*
|
||||
* Uncomment to set the maximum plaintext size of the outgoing I/O buffer
|
||||
* independently of the incoming I/O buffer.
|
||||
* Uncomment to set the maximum plaintext size of the outgoing I/O buffer.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
|
||||
|
||||
|
|
|
@ -236,16 +236,12 @@
|
|||
* if you're using the Max Fragment Length extension and you know all your
|
||||
* peers are using it too!
|
||||
*/
|
||||
#if !defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
|
||||
#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
|
||||
#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
|
||||
#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -3619,7 +3615,7 @@ size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
|
|||
/**
|
||||
* \brief Return the maximum fragment length (payload, in bytes) for
|
||||
* the input buffer. This is the negotiated maximum fragment
|
||||
* length, or, if there is none, MBEDTLS_SSL_MAX_CONTENT_LEN.
|
||||
* length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
|
||||
* If it is not defined either, the value is 2^14. This function
|
||||
* works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
|
||||
*
|
||||
|
|
|
@ -229,23 +229,19 @@
|
|||
* Check that we obey the standard's message size bounds
|
||||
*/
|
||||
|
||||
#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
|
||||
#error "Bad configuration - record content too large."
|
||||
#if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
|
||||
#error "Bad configuration - incoming record content too large."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
|
||||
#if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
|
||||
#error "Bad configuration - outgoing record content too large."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
|
||||
#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
|
||||
#error "Bad configuration - incoming protected record payload too large."
|
||||
#endif
|
||||
|
||||
#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
|
||||
#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
|
||||
#error "Bad configuration - outgoing protected record payload too large."
|
||||
#endif
|
||||
|
||||
|
|
|
@ -4647,7 +4647,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
|
|||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl )
|
||||
{
|
||||
size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
|
||||
size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
|
||||
size_t read_mfl;
|
||||
|
||||
/* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
|
||||
|
|
|
@ -451,7 +451,7 @@ int main( void )
|
|||
" server_port=%%d default: 4433\n" \
|
||||
" debug_level=%%d default: 0 (disabled)\n" \
|
||||
" buffer_size=%%d default: 200 \n" \
|
||||
" (minimum: 1, max: 16385)\n" \
|
||||
" (minimum: 1)\n" \
|
||||
" response_size=%%d default: about 152 (basic response)\n" \
|
||||
" (minimum: 0, max: 16384)\n" \
|
||||
" increases buffer_size if bigger\n"\
|
||||
|
@ -1572,13 +1572,13 @@ int main( int argc, char *argv[] )
|
|||
else if( strcmp( p, "buffer_size" ) == 0 )
|
||||
{
|
||||
opt.buffer_size = atoi( q );
|
||||
if( opt.buffer_size < 1 || opt.buffer_size > MBEDTLS_SSL_MAX_CONTENT_LEN + 1 )
|
||||
if( opt.buffer_size < 1 )
|
||||
goto usage;
|
||||
}
|
||||
else if( strcmp( p, "response_size" ) == 0 )
|
||||
{
|
||||
opt.response_size = atoi( q );
|
||||
if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_MAX_CONTENT_LEN )
|
||||
if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
goto usage;
|
||||
if( opt.buffer_size < opt.response_size )
|
||||
opt.buffer_size = opt.response_size;
|
||||
|
|
|
@ -2595,14 +2595,6 @@ int query_config( const char *config )
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES */
|
||||
|
||||
#if defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
|
||||
if( strcmp( "MBEDTLS_SSL_MAX_CONTENT_LEN", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_MAX_CONTENT_LEN );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_MAX_CONTENT_LEN */
|
||||
|
||||
#if defined(MBEDTLS_SSL_IN_CONTENT_LEN)
|
||||
if( strcmp( "MBEDTLS_SSL_IN_CONTENT_LEN", config ) == 0 )
|
||||
{
|
||||
|
|
|
@ -374,7 +374,7 @@ requires_not_i686() {
|
|||
}
|
||||
|
||||
# Calculate the input & output maximum content lengths set in the config
|
||||
MAX_CONTENT_LEN=$( ../scripts/config.py get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
|
||||
MAX_CONTENT_LEN=16384
|
||||
MAX_IN_LEN=$( ../scripts/config.py get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
|
||||
MAX_OUT_LEN=$( ../scripts/config.py get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
|
||||
|
||||
|
@ -3014,8 +3014,13 @@ run_test "Session resume using cache, DTLS: openssl server" \
|
|||
|
||||
# Tests for Max Fragment Length extension
|
||||
|
||||
if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
|
||||
printf '%s defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}"
|
||||
if [ "$MAX_IN_LEN" -lt "4096" ]; then
|
||||
printf '%s defines MBEDTLS_SSL_IN_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$MAX_OUT_LEN" -lt "4096" ]; then
|
||||
printf '%s defines MBEDTLS_SSL_OUT_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
|
Loading…
Reference in a new issue