|
Packit |
aea12f |
/*
|
|
Packit |
aea12f |
* Copyright (C) 2001-2012 Free Software Foundation, Inc.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Author: Nikos Mavrogiannopoulos
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This file is part of GnuTLS.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit |
aea12f |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit |
aea12f |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit |
aea12f |
* the License, or (at your option) any later version.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This library is distributed in the hope that it will be useful, but
|
|
Packit |
aea12f |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
aea12f |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
aea12f |
* Lesser General Public License for more details.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
aea12f |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* This file contains the code for the Max Record Size TLS extension.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#include "gnutls_int.h"
|
|
Packit |
aea12f |
#include "errors.h"
|
|
Packit |
aea12f |
#include "num.h"
|
|
Packit |
aea12f |
#include <hello_ext.h>
|
|
Packit |
aea12f |
#include <ext/max_record.h>
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int _gnutls_max_record_recv_params(gnutls_session_t session,
|
|
Packit |
aea12f |
const uint8_t * data,
|
|
Packit |
aea12f |
size_t data_size);
|
|
Packit |
aea12f |
static int _gnutls_max_record_send_params(gnutls_session_t session,
|
|
Packit |
aea12f |
gnutls_buffer_st * extdata);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Maps record size to numbers according to the
|
|
Packit |
aea12f |
* extensions draft.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
static int _gnutls_mre_num2record(int num);
|
|
Packit |
aea12f |
static int _gnutls_mre_record2num(uint16_t record_size);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
const hello_ext_entry_st ext_mod_max_record_size = {
|
|
Packit |
aea12f |
.name = "Maximum Record Size",
|
|
Packit |
aea12f |
.tls_id = 1,
|
|
Packit |
aea12f |
.gid = GNUTLS_EXTENSION_MAX_RECORD_SIZE,
|
|
Packit |
aea12f |
.parse_type = GNUTLS_EXT_TLS,
|
|
Packit |
aea12f |
.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
|
|
Packit |
aea12f |
GNUTLS_EXT_FLAG_EE | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
|
|
Packit |
aea12f |
.recv_func = _gnutls_max_record_recv_params,
|
|
Packit |
aea12f |
.send_func = _gnutls_max_record_send_params
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/*
|
|
Packit |
aea12f |
* In case of a server: if a MAX_RECORD_SIZE extension type is received then it stores
|
|
Packit |
aea12f |
* into the session the new value. The server may use gnutls_get_max_record_size(),
|
|
Packit |
aea12f |
* in order to access it.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* In case of a client: If a different max record size (than the default) has
|
|
Packit |
aea12f |
* been specified then it sends the extension.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
_gnutls_max_record_recv_params(gnutls_session_t session,
|
|
Packit |
5407aa |
const uint8_t * data, size_t data_size)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
ssize_t new_size;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED)
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (session->security_parameters.entity == GNUTLS_SERVER) {
|
|
Packit |
aea12f |
if (data_size > 0) {
|
|
Packit |
aea12f |
DECR_LEN(data_size, 1);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
new_size = _gnutls_mre_num2record(data[0]);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (new_size < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return new_size;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
session->security_parameters.max_record_send_size =
|
|
Packit |
aea12f |
new_size;
|
|
Packit |
aea12f |
session->security_parameters.max_record_recv_size =
|
|
Packit |
aea12f |
new_size;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
} else { /* CLIENT SIDE - we must check if the sent record size is the right one
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
if (data_size > 0) {
|
|
Packit |
aea12f |
if (data_size != 1) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
new_size = _gnutls_mre_num2record(data[0]);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (new_size < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return new_size;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (new_size != session->security_parameters.
|
|
Packit |
aea12f |
max_user_record_send_size) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
|
|
Packit |
aea12f |
} else {
|
|
Packit |
aea12f |
session->security_parameters.
|
|
Packit |
aea12f |
max_record_send_size = new_size;
|
|
Packit |
aea12f |
session->security_parameters.
|
|
Packit |
aea12f |
max_record_recv_size = new_size;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* returns data_size or a negative number on failure
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
_gnutls_max_record_send_params(gnutls_session_t session,
|
|
Packit |
aea12f |
gnutls_buffer_st * extdata)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
uint8_t p;
|
|
Packit |
aea12f |
int ret;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* this function sends the client extension data (dnsname) */
|
|
Packit |
aea12f |
if (session->security_parameters.entity == GNUTLS_CLIENT) {
|
|
Packit |
aea12f |
/* if the user limits for sending and receiving are
|
|
Packit |
aea12f |
* different, that means the programmer had chosen to
|
|
Packit |
aea12f |
* use record_size_limit instead */
|
|
Packit |
aea12f |
if (session->security_parameters.max_user_record_send_size !=
|
|
Packit |
aea12f |
session->security_parameters.max_user_record_recv_size)
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (session->security_parameters.max_user_record_send_size !=
|
|
Packit |
aea12f |
DEFAULT_MAX_RECORD_SIZE) {
|
|
Packit |
aea12f |
ret = _gnutls_mre_record2num
|
|
Packit |
aea12f |
(session->security_parameters.
|
|
Packit |
aea12f |
max_user_record_send_size);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* it's not an error, as long as we send the
|
|
Packit |
aea12f |
* record_size_limit extension with that value */
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
p = (uint8_t) ret;
|
|
Packit |
aea12f |
ret = _gnutls_buffer_append_data(extdata, &p, 1);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 1;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
} else { /* server side */
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_SENT)
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (session->security_parameters.max_record_recv_size !=
|
|
Packit |
aea12f |
DEFAULT_MAX_RECORD_SIZE) {
|
|
Packit |
aea12f |
ret = _gnutls_mre_record2num
|
|
Packit |
aea12f |
(session->security_parameters.
|
|
Packit |
aea12f |
max_record_recv_size);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
p = (uint8_t) ret;
|
|
Packit |
aea12f |
ret = _gnutls_buffer_append_data(extdata, &p, 1);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 1;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Maps numbers to record sizes according to the
|
|
Packit |
aea12f |
* extensions draft.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
static int _gnutls_mre_num2record(int num)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
switch (num) {
|
|
Packit |
aea12f |
case 1:
|
|
Packit |
aea12f |
return 512;
|
|
Packit |
aea12f |
case 2:
|
|
Packit |
aea12f |
return 1024;
|
|
Packit |
aea12f |
case 3:
|
|
Packit |
aea12f |
return 2048;
|
|
Packit |
aea12f |
case 4:
|
|
Packit |
aea12f |
return 4096;
|
|
Packit |
aea12f |
default:
|
|
Packit |
aea12f |
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Maps record size to numbers according to the
|
|
Packit |
aea12f |
* extensions draft.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
static int _gnutls_mre_record2num(uint16_t record_size)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
switch (record_size) {
|
|
Packit |
aea12f |
case 512:
|
|
Packit |
aea12f |
return 1;
|
|
Packit |
aea12f |
case 1024:
|
|
Packit |
aea12f |
return 2;
|
|
Packit |
aea12f |
case 2048:
|
|
Packit |
aea12f |
return 3;
|
|
Packit |
aea12f |
case 4096:
|
|
Packit |
aea12f |
return 4;
|
|
Packit |
aea12f |
default:
|
|
Packit |
aea12f |
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_record_get_max_size:
|
|
Packit |
aea12f |
* @session: is a #gnutls_session_t type.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Get the record size. The maximum record size is negotiated by the
|
|
Packit |
aea12f |
* client after the first handshake message.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: The maximum record packet size in this connection.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
size_t gnutls_record_get_max_size(gnutls_session_t session)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Recv will hold the negotiated max record size
|
|
Packit |
aea12f |
* always.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
return session->security_parameters.max_record_recv_size;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_record_set_max_size:
|
|
Packit |
aea12f |
* @session: is a #gnutls_session_t type.
|
|
Packit |
aea12f |
* @size: is the new size
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function sets the maximum amount of plaintext sent and
|
|
Packit |
aea12f |
* received in a record in this connection.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Prior to 3.6.4, this function was implemented using a TLS extension
|
|
Packit |
aea12f |
* called 'max fragment length', which limits the acceptable values to
|
|
Packit |
aea12f |
* 512(=2^9), 1024(=2^10), 2048(=2^11) and 4096(=2^12).
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Since 3.6.4, the limit is also negotiated through a new TLS
|
|
Packit |
aea12f |
* extension called 'record size limit', which doesn't have the
|
|
Packit |
aea12f |
* limitation, as long as the value ranges between 512 and 16384.
|
|
Packit |
aea12f |
* Note that while the 'record size limit' extension is preferred, not
|
|
Packit |
aea12f |
* all TLS implementations use or even understand the extension.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Deprecated: if the client can assume that the 'record size limit'
|
|
Packit |
aea12f |
* extension is supported by the server, we recommend using
|
|
Packit |
aea12f |
* gnutls_record_set_max_recv_size() instead.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
|
|
Packit |
aea12f |
* otherwise a negative error code is returned.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
ssize_t gnutls_record_set_max_size(gnutls_session_t session, size_t size)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
if (size < MIN_RECORD_SIZE || size > DEFAULT_MAX_RECORD_SIZE)
|
|
Packit |
aea12f |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (session->internals.handshake_in_progress)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
session->security_parameters.max_user_record_send_size = size;
|
|
Packit |
aea12f |
session->security_parameters.max_user_record_recv_size = size;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_record_set_max_recv_size:
|
|
Packit |
aea12f |
* @session: is a #gnutls_session_t type.
|
|
Packit |
aea12f |
* @size: is the new size
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function sets the maximum amount of plaintext received in a
|
|
Packit |
aea12f |
* record in this connection.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The limit is also negotiated through a TLS extension called 'record
|
|
Packit |
aea12f |
* size limit'. Note that while the 'record size limit' extension is
|
|
Packit |
aea12f |
* preferred, not all TLS implementations use or even understand the
|
|
Packit |
aea12f |
* extension.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
|
|
Packit |
aea12f |
* otherwise a negative error code is returned.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Since: 3.6.8
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
ssize_t gnutls_record_set_max_recv_size(gnutls_session_t session, size_t size)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
if (size <
|
|
Packit |
aea12f |
(session->internals.allow_small_records ?
|
|
Packit |
aea12f |
MIN_RECORD_SIZE_SMALL : MIN_RECORD_SIZE) ||
|
|
Packit |
aea12f |
size > DEFAULT_MAX_RECORD_SIZE)
|
|
Packit |
aea12f |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (session->internals.handshake_in_progress)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
session->security_parameters.max_user_record_recv_size = size;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|