From 9752aadd85e61a58da6eaa7c59f6dd7ff47f78a7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 05:54:33 +0100 Subject: [PATCH 01/12] Make query API for state of MFL extension internal This commit makes the API - mbedtls_ssl_get_output_max_frag_len() - mbedtls_ssl_get_input_max_frag_len() - mbedtls_ssl_get__max_frag_len() for querying the state of the Maximum Fragment Length extension internal. Rationale: The value those APIs provide to the user is in upper bounds for the size of incoming and outgoing records, which can be used to size application data buffers apporpriately before passing them to mbedtls_ssl_{read,write}(). However, there are other factors which influence such upper bounds, such as the MTU or other extensions (specifically, the record_size_limit extension which is still to be implemented) which should be taken into account. There should be more general APIs for querying the maximum size of incoming and outgoing records. For the maximum size of outgoing records, we already have such, namely mbedtls_ssl_get_max_out_record_payload(). For the maximum size of incoming records, a new API will be added in a subsequent commit. Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 33 --------------------------------- library/ssl_misc.h | 33 +++++++++++++++++++++++++++++++++ programs/ssl/ssl_client2.c | 7 ------- programs/ssl/ssl_server2.c | 7 ------- 4 files changed, 33 insertions(+), 47 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 88a599c18c..905b5679c2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3645,39 +3645,6 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ); */ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -/** - * \brief Return the maximum fragment length (payload, in bytes) for - * the output buffer. For the client, this is the configured - * value. For the server, it is the minimum of two - the - * configured value and the negotiated one. - * - * \sa mbedtls_ssl_conf_max_frag_len() - * \sa mbedtls_ssl_get_max_record_payload() - * - * \param ssl SSL context - * - * \return Current maximum fragment length for the output buffer. - */ -size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl ); - -/** - * \brief Return the maximum fragment length (payload, in bytes) for - * the input buffer. This is the negotiated maximum fragment - * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. - * If it is not defined either, the value is 2^14. This function - * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). - * - * \sa mbedtls_ssl_conf_max_frag_len() - * \sa mbedtls_ssl_get_max_record_payload() - * - * \param ssl SSL context - * - * \return Current maximum fragment length for the output buffer. - */ -size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl ); -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ - /** * \brief Return the current maximum outgoing record payload in bytes. * This takes into account the config.h setting \c diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 180f4d8dc8..ecbeb8ba8c 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -270,6 +270,39 @@ + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) ) #endif +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +/** + * \brief Return the maximum fragment length (payload, in bytes) for + * the output buffer. For the client, this is the configured + * value. For the server, it is the minimum of two - the + * configured value and the negotiated one. + * + * \sa mbedtls_ssl_conf_max_frag_len() + * \sa mbedtls_ssl_get_max_out_record_payload() + * + * \param ssl SSL context + * + * \return Current maximum fragment length for the output buffer. + */ +size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl ); + +/** + * \brief Return the maximum fragment length (payload, in bytes) for + * the input buffer. This is the negotiated maximum fragment + * length, or, if there is none, MBEDTLS_SSL_MAX_CONTENT_LEN. + * If it is not defined either, the value is 2^14. This function + * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). + * + * \sa mbedtls_ssl_conf_max_frag_len() + * \sa mbedtls_ssl_get_max_in_record_payload() + * + * \param ssl SSL context + * + * \return Current maximum fragment length for the output buffer. + */ +size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2ce8588373..3cbf130003 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2083,13 +2083,6 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " [ Record expansion is unknown ]\n" ); -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - mbedtls_printf( " [ Maximum input fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_input_max_frag_len( &ssl ) ); - mbedtls_printf( " [ Maximum output fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_output_max_frag_len( &ssl ) ); -#endif - #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1ff27fb8b0..1ec8f09f77 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3164,13 +3164,6 @@ handshake: else mbedtls_printf( " [ Record expansion is unknown ]\n" ); -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - mbedtls_printf( " [ Maximum input fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_input_max_frag_len( &ssl ) ); - mbedtls_printf( " [ Maximum output fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_output_max_frag_len( &ssl ) ); -#endif - #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { From be746949c4bf8f701a8a7c5c8cb44d61394bb5da Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 06:18:37 +0100 Subject: [PATCH 02/12] Relax documentation of mbedtls_ssl_get_max_out_record_payload() The previous documentation could be read as exhaustively listing the factors that go into computing the maximum outgoing record plaintext size -- we should give examples, but allow ourselves to add more factors in the future. Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 905b5679c2..9583dcaf8d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3647,10 +3647,10 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); /** * \brief Return the current maximum outgoing record payload in bytes. - * This takes into account the config.h setting \c - * MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated - * max fragment length extension if used, and for DTLS the - * path MTU as configured and current record expansion. + * This takes into account various factors, such as the config.h + * setting \c MBEDTLS_SSL_OUT_CONTENT_LEN, extensions such as the + * max fragment length or record size limit extension if used, and + * for DTLS the path MTU as configured and current record expansion. * * \note With DTLS, \c mbedtls_ssl_write() will return an error if * called with a larger length value. From 2d8e99b0972de4a88217911a4664fbec64d776a4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 06:19:50 +0100 Subject: [PATCH 03/12] Add API to query maximum plaintext size of incoming records Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 26 ++++++++++++++++++++++++++ library/ssl_tls.c | 18 ++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 9583dcaf8d..194aee5fa4 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3671,6 +3671,32 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); */ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); +/** + * \brief Return the current maximum incoming record payload in bytes. + * This takes into account various factors, such as the + * config.h setting \c MBEDTLS_SSL_IN_CONTENT_LEN, extensions + * such as the max fragment length extension or record size limit + * extension if used, and the current record expansion. + * + * \note With DTLS, \c mbedtls_ssl_read() will return an error if + * called with a larger length value. + * With TLS, \c mbedtls_ssl_write() will fragment the input if + * necessary and return the number of bytes written; it is up + * to the caller to call \c mbedtls_ssl_write() again in + * order to send the remaining bytes if any. + * + * \sa mbedtls_ssl_set_mtu() + * \sa mbedtls_ssl_get_output_max_frag_len() + * \sa mbedtls_ssl_get_input_max_frag_len() + * \sa mbedtls_ssl_get_record_expansion() + * + * \param ssl SSL context + * + * \return Current maximum payload for an outgoing record, + * or a negative error code. + */ +int mbedtls_ssl_get_max_in_record_payload( const mbedtls_ssl_context *ssl ); + #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Return the peer certificate from the current connection. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 170d563bdb..fd6050c77d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4767,6 +4767,24 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ) return( (int) max_len ); } +int mbedtls_ssl_get_max_in_record_payload( const mbedtls_ssl_context *ssl ) +{ + size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; + +#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + (void) ssl; +#endif + +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + const size_t mfl = mbedtls_ssl_get_input_max_frag_len( ssl ); + + if( max_len > mfl ) + max_len = mfl; +#endif + + return( (int) max_len ); +} + #if defined(MBEDTLS_X509_CRT_PARSE_C) const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) { From 80d163d496b66ca9e065a0a4f3a9e5a2ab85b9e1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 06:28:18 +0100 Subject: [PATCH 04/12] Remove Doxygen references to now-internal MFL query API Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 194aee5fa4..83df117691 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3659,9 +3659,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); * to the caller to call \c mbedtls_ssl_write() again in * order to send the remaining bytes if any. * - * \sa mbedtls_ssl_set_mtu() - * \sa mbedtls_ssl_get_output_max_frag_len() - * \sa mbedtls_ssl_get_input_max_frag_len() + * \sa mbedtls_ssl_get_max_out_record_payload() * \sa mbedtls_ssl_get_record_expansion() * * \param ssl SSL context @@ -3686,8 +3684,7 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); * order to send the remaining bytes if any. * * \sa mbedtls_ssl_set_mtu() - * \sa mbedtls_ssl_get_output_max_frag_len() - * \sa mbedtls_ssl_get_input_max_frag_len() + * \sa mbedtls_ssl_get_max_in_record_payload() * \sa mbedtls_ssl_get_record_expansion() * * \param ssl SSL context @@ -3995,7 +3992,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) * or negotiated with the peer), then: * - with TLS, less bytes than requested are written. * - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned. - * \c mbedtls_ssl_get_output_max_frag_len() may be used to + * \c mbedtls_ssl_get_max_out_record_payload() may be used to * query the active maximum fragment length. * * \note Attempting to write 0 bytes will result in an empty TLS From b2efc4d4648082058461c664ca597cf661074902 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 15 May 2021 06:26:24 +0100 Subject: [PATCH 05/12] Add migration guide Signed-off-by: Hanno Becker --- docs/3.0-migration-guide.d/max-record-payload-api.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/3.0-migration-guide.d/max-record-payload-api.md diff --git a/docs/3.0-migration-guide.d/max-record-payload-api.md b/docs/3.0-migration-guide.d/max-record-payload-api.md new file mode 100644 index 0000000000..0b34915f40 --- /dev/null +++ b/docs/3.0-migration-guide.d/max-record-payload-api.md @@ -0,0 +1,11 @@ +Remove MaximumFragmentLength (MFL) query API +----------------------------------------------------------------- + +This affects users which use the MFL query APIs +`mbedtls_ssl_get_{input,output}_max_frag_len()` to +infer upper bounds on the plaintext size of incoming and +outgoing record. + +Users should switch to `mbedtls_ssl_get_max_{in,out}_record_payload()` +instead, which also provides such upper bounds but takes more factors +than just the MFL configuration into account. From 24628b69be04b547982f401fa48230a33a993df0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 15 May 2021 06:29:41 +0100 Subject: [PATCH 06/12] Add ChangeLog entry Signed-off-by: Hanno Becker --- ChangeLog.d/max-record-payload-api.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/max-record-payload-api.txt diff --git a/ChangeLog.d/max-record-payload-api.txt b/ChangeLog.d/max-record-payload-api.txt new file mode 100644 index 0000000000..af49fd96d6 --- /dev/null +++ b/ChangeLog.d/max-record-payload-api.txt @@ -0,0 +1,6 @@ +API changes + * Remove `mbedtls_ssl_get_{input,output}_max_frag_len()` + and add `mbedtls_ssl_get_max_in_record_payload()`, + complementing the existing `mbedtls_ssl_get_max_out_record_payload()`. + Uses of `mbedtls_ssl_get_{input,output}_max_frag_len()` + should be replaced by `mbedtls_ssl_get_max_{in,out}_record_payload()`. From ebd6ab7f6e1eb2d421b1441b25b12395d6a10da0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 May 2021 05:59:46 +0100 Subject: [PATCH 07/12] Improve documentation of record expansion API Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 83df117691..02cb6da91c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3647,10 +3647,13 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); /** * \brief Return the current maximum outgoing record payload in bytes. - * This takes into account various factors, such as the config.h - * setting \c MBEDTLS_SSL_OUT_CONTENT_LEN, extensions such as the - * max fragment length or record size limit extension if used, and - * for DTLS the path MTU as configured and current record expansion. + * + * \note The logic to determine the maximum outgoing record payload is + * version-specific. It takes into account various factors, such as + * the config.h setting \c MBEDTLS_SSL_OUT_CONTENT_LEN, extensions + * such as the max fragment length or record size limit extension if + * used, and for DTLS the path MTU as configured and current + * record expansion. * * \note With DTLS, \c mbedtls_ssl_write() will return an error if * called with a larger length value. @@ -3671,8 +3674,10 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); /** * \brief Return the current maximum incoming record payload in bytes. - * This takes into account various factors, such as the - * config.h setting \c MBEDTLS_SSL_IN_CONTENT_LEN, extensions + * + * \note The logic to determine the maximum outgoing record payload is + * version-specific. It takes into account various factors, such as + * the config.h setting \c MBEDTLS_SSL_IN_CONTENT_LEN, extensions * such as the max fragment length extension or record size limit * extension if used, and the current record expansion. * From 88f86f7f37092ede28c3e5647c29f44e4749e78d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 May 2021 06:00:28 +0100 Subject: [PATCH 08/12] Remove copy-pasta from record API documentation Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 7 ------- 1 file changed, 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 02cb6da91c..cf3b44bc38 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3681,13 +3681,6 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); * such as the max fragment length extension or record size limit * extension if used, and the current record expansion. * - * \note With DTLS, \c mbedtls_ssl_read() will return an error if - * called with a larger length value. - * With TLS, \c mbedtls_ssl_write() will fragment the input if - * necessary and return the number of bytes written; it is up - * to the caller to call \c mbedtls_ssl_write() again in - * order to send the remaining bytes if any. - * * \sa mbedtls_ssl_set_mtu() * \sa mbedtls_ssl_get_max_in_record_payload() * \sa mbedtls_ssl_get_record_expansion() From fb1add76fdc62d857dcf43c74e231ea6415a4597 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 23 May 2021 06:02:48 +0100 Subject: [PATCH 09/12] Don't use markdown formatting in ChangeLog Signed-off-by: Hanno Becker --- ChangeLog.d/max-record-payload-api.txt | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/max-record-payload-api.txt b/ChangeLog.d/max-record-payload-api.txt index af49fd96d6..02b47e4e1b 100644 --- a/ChangeLog.d/max-record-payload-api.txt +++ b/ChangeLog.d/max-record-payload-api.txt @@ -1,6 +1,9 @@ API changes - * Remove `mbedtls_ssl_get_{input,output}_max_frag_len()` - and add `mbedtls_ssl_get_max_in_record_payload()`, - complementing the existing `mbedtls_ssl_get_max_out_record_payload()`. - Uses of `mbedtls_ssl_get_{input,output}_max_frag_len()` - should be replaced by `mbedtls_ssl_get_max_{in,out}_record_payload()`. + * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and + mbedtls_ssl_get_output_max_frag_len(), and add a new API + mbedtls_ssl_get_max_in_record_payload(), complementing the existing + mbedtls_ssl_get_max_out_record_payload(). + Uses of mbedtls_ssl_get_input_max_frag_len() and + mbedtls_ssl_get_input_max_frag_len() should be replaced by + mbedtls_ssl_get_max_in_record_payload() and + mbedtls_ssl_get_max_out_record_payload(), respectively. From df3b86343ac80a4874878c28108c88a157a8c076 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Jun 2021 05:30:45 +0100 Subject: [PATCH 10/12] Fixup rebase slip in library/ssl_misc.h Signed-off-by: Hanno Becker --- library/ssl_misc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index ecbeb8ba8c..7fd5686bd6 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -289,7 +289,7 @@ size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl ); /** * \brief Return the maximum fragment length (payload, in bytes) for * the input buffer. This is the negotiated maximum fragment - * length, or, if there is none, MBEDTLS_SSL_MAX_CONTENT_LEN. + * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. * If it is not defined either, the value is 2^14. This function * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). * From 59d3670fa557f5ed564b631e4299138a8bbf4e78 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Jun 2021 05:35:29 +0100 Subject: [PATCH 11/12] Fix ssl-opt.sh test cases grepping for MFL configuration output Use and grep for the new max in/out record payload length API instead. Signed-off-by: Hanno Becker --- programs/ssl/ssl_client2.c | 7 ++ programs/ssl/ssl_server2.c | 7 ++ tests/ssl-opt.sh | 188 ++++++++++++++++++------------------- 3 files changed, 108 insertions(+), 94 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 3cbf130003..6e9955ccf8 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2083,6 +2083,13 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " [ Record expansion is unknown ]\n" ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + mbedtls_printf( " [ Maximum incoming record payload length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_in_record_payload( &ssl ) ); + mbedtls_printf( " [ Maximum outgoing record payload length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_out_record_payload( &ssl ) ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1ec8f09f77..914286cfc5 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3164,6 +3164,13 @@ handshake: else mbedtls_printf( " [ Record expansion is unknown ]\n" ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + mbedtls_printf( " [ Maximum incoming record payload length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_in_record_payload( &ssl ) ); + mbedtls_printf( " [ Maximum outgoing record payload length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_out_record_payload( &ssl ) ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1041c87d4f..a42ff73aca 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3033,10 +3033,10 @@ run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ - -c "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -c "Maximum output fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum output fragment length is $MAX_CONTENT_LEN" \ + -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -3047,10 +3047,10 @@ run_test "Max fragment length: enabled, default, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 0 \ - -c "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -c "Maximum output fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum output fragment length is $MAX_CONTENT_LEN" \ + -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -3064,10 +3064,10 @@ run_test "Max fragment length, DTLS: enabled, default, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 1 \ - -c "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -c "Maximum output fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum output fragment length is $MAX_CONTENT_LEN" \ + -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -3083,10 +3083,10 @@ run_test "Max fragment length: disabled, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 0 \ - -C "Maximum input fragment length is 16384" \ - -C "Maximum output fragment length is 16384" \ - -S "Maximum input fragment length is 16384" \ - -S "Maximum output fragment length is 16384" \ + -C "Maximum incoming record payload length is 16384" \ + -C "Maximum outgoing record payload length is 16384" \ + -S "Maximum incoming record payload length is 16384" \ + -S "Maximum outgoing record payload length is 16384" \ -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \ -s "$MAX_CONTENT_LEN bytes read" \ -s "1 bytes read" @@ -3096,10 +3096,10 @@ run_test "Max fragment length DTLS: disabled, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 1 \ - -C "Maximum input fragment length is 16384" \ - -C "Maximum output fragment length is 16384" \ - -S "Maximum input fragment length is 16384" \ - -S "Maximum output fragment length is 16384" \ + -C "Maximum incoming record payload length is 16384" \ + -C "Maximum outgoing record payload length is 16384" \ + -S "Maximum incoming record payload length is 16384" \ + -S "Maximum outgoing record payload length is 16384" \ -c "fragment larger than.*maximum " requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH @@ -3107,10 +3107,10 @@ run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ - -s "Maximum input fragment length is 4096" \ - -s "Maximum output fragment length is 4096" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ + -s "Maximum incoming record payload length is 4096" \ + -s "Maximum outgoing record payload length is 4096" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3121,10 +3121,10 @@ run_test "Max fragment length: client 512, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=512" \ 0 \ - -c "Maximum input fragment length is 512" \ - -c "Maximum output fragment length is 512" \ - -s "Maximum input fragment length is 512" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 512" \ + -c "Maximum outgoing record payload length is 512" \ + -s "Maximum incoming record payload length is 512" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3135,10 +3135,10 @@ run_test "Max fragment length: client 512, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=512" \ 0 \ - -c "Maximum input fragment length is 512" \ - -c "Maximum output fragment length is 512" \ - -s "Maximum input fragment length is 512" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 512" \ + -c "Maximum outgoing record payload length is 512" \ + -s "Maximum incoming record payload length is 512" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3149,10 +3149,10 @@ run_test "Max fragment length: client 512, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=512" \ 0 \ - -c "Maximum input fragment length is 512" \ - -c "Maximum output fragment length is 512" \ - -s "Maximum input fragment length is 512" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 512" \ + -c "Maximum outgoing record payload length is 512" \ + -s "Maximum incoming record payload length is 512" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3163,10 +3163,10 @@ run_test "Max fragment length: client 1024, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=1024" \ 0 \ - -c "Maximum input fragment length is 1024" \ - -c "Maximum output fragment length is 1024" \ - -s "Maximum input fragment length is 1024" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 1024" \ + -c "Maximum outgoing record payload length is 1024" \ + -s "Maximum incoming record payload length is 1024" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3177,10 +3177,10 @@ run_test "Max fragment length: client 1024, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=1024" \ 0 \ - -c "Maximum input fragment length is 1024" \ - -c "Maximum output fragment length is 1024" \ - -s "Maximum input fragment length is 1024" \ - -s "Maximum output fragment length is 1024" \ + -c "Maximum incoming record payload length is 1024" \ + -c "Maximum outgoing record payload length is 1024" \ + -s "Maximum incoming record payload length is 1024" \ + -s "Maximum outgoing record payload length is 1024" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3191,10 +3191,10 @@ run_test "Max fragment length: client 1024, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=1024" \ 0 \ - -c "Maximum input fragment length is 1024" \ - -c "Maximum output fragment length is 1024" \ - -s "Maximum input fragment length is 1024" \ - -s "Maximum output fragment length is 1024" \ + -c "Maximum incoming record payload length is 1024" \ + -c "Maximum outgoing record payload length is 1024" \ + -s "Maximum incoming record payload length is 1024" \ + -s "Maximum outgoing record payload length is 1024" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3205,10 +3205,10 @@ run_test "Max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=2048" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3219,10 +3219,10 @@ run_test "Max fragment length: client 2048, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=2048" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 1024" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 1024" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3233,10 +3233,10 @@ run_test "Max fragment length: client 2048, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=2048" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3247,10 +3247,10 @@ run_test "Max fragment length: client 4096, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ - -s "Maximum input fragment length is 4096" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ + -s "Maximum incoming record payload length is 4096" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3261,10 +3261,10 @@ run_test "Max fragment length: client 4096, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ - -s "Maximum input fragment length is 4096" \ - -s "Maximum output fragment length is 1024" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ + -s "Maximum incoming record payload length is 4096" \ + -s "Maximum outgoing record payload length is 1024" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3275,10 +3275,10 @@ run_test "Max fragment length: client 4096, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ - -s "Maximum input fragment length is 4096" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ + -s "Maximum incoming record payload length is 4096" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3289,10 +3289,10 @@ run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3" \ 0 \ - -c "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -c "Maximum output fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum input fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum output fragment length is 4096" \ + -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \ + -s "Maximum outgoing record payload length is 4096" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -3304,8 +3304,8 @@ run_test "Max fragment length: gnutls server" \ "$G_SRV" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ - -c "Maximum input fragment length is 4096" \ - -c "Maximum output fragment length is 4096" \ + -c "Maximum incoming record payload length is 4096" \ + -c "Maximum outgoing record payload length is 4096" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" @@ -3314,10 +3314,10 @@ run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3330,10 +3330,10 @@ run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3347,10 +3347,10 @@ run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \ 1 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 2048" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -3457,10 +3457,10 @@ run_test "Renegotiation with max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 max_frag_len=2048 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ 0 \ - -c "Maximum input fragment length is 2048" \ - -c "Maximum output fragment length is 2048" \ - -s "Maximum input fragment length is 2048" \ - -s "Maximum output fragment length is 512" \ + -c "Maximum incoming record payload length is 2048" \ + -c "Maximum outgoing record payload length is 2048" \ + -s "Maximum incoming record payload length is 2048" \ + -s "Maximum outgoing record payload length is 512" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ From 61f292ea0a4b2e4388f69a80661ba8b22a547152 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Jun 2021 07:50:55 +0100 Subject: [PATCH 12/12] Fix migration guide for now-removed deprecated functions Signed-off-by: Hanno Becker --- .../remove_deprecated_functions_and_constants.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md b/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md index b18b3109d8..31c2ce8621 100644 --- a/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md +++ b/docs/3.0-migration-guide.d/remove_deprecated_functions_and_constants.md @@ -50,7 +50,9 @@ The function `mbedtls_ssl_conf_dh_param()` was removed. Please use `mbedtls_ssl_conf_dh_param_bin()` or `mbedtls_ssl_conf_dh_param_ctx()` instead. The function `mbedtls_ssl_get_max_frag_len()` was removed. Please use -`mbedtls_ssl_get_output_max_frag_len()` instead. +`mbedtls_ssl_get_max_out_record_payload()` and +`mbedtls_ssl_get_max_in_record_payload()` +instead. Deprecated hex-encoded primes were removed from DHM ---------------------------------------------------