aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-02-07 02:58:41 -0500
committerJack Lloyd <[email protected]>2016-02-07 02:58:41 -0500
commite23cfdeb6d079a2c8d147142f31934d2c8b3a881 (patch)
tree33a26385dbc5af02940ac5f4682c8b4b508cb6c1 /src
parentceb90fb9814d5118d406efcbcda2117b6b083ad4 (diff)
Remove support for the TLS min fragment length extension.
Diffstat (limited to 'src')
-rw-r--r--src/lib/tls/msg_client_hello.cpp3
-rw-r--r--src/lib/tls/msg_server_hello.cpp6
-rw-r--r--src/lib/tls/tls_channel.cpp26
-rw-r--r--src/lib/tls/tls_channel.h2
-rw-r--r--src/lib/tls/tls_client.cpp1
-rw-r--r--src/lib/tls/tls_extensions.cpp50
-rw-r--r--src/lib/tls/tls_extensions.h34
-rw-r--r--src/lib/tls/tls_messages.h14
-rw-r--r--src/lib/tls/tls_server.cpp1
-rw-r--r--src/lib/tls/tls_session.cpp17
-rw-r--r--src/lib/tls/tls_session.h11
11 files changed, 18 insertions, 147 deletions
diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp
index 34edac29c..43ab84f33 100644
--- a/src/lib/tls/msg_client_hello.cpp
+++ b/src/lib/tls/msg_client_hello.cpp
@@ -141,9 +141,6 @@ Client_Hello::Client_Hello(Handshake_IO& io,
m_extensions.add(new Session_Ticket(session.session_ticket()));
m_extensions.add(new Supported_Elliptic_Curves(policy.allowed_ecc_curves()));
- if(session.fragment_size() != 0)
- m_extensions.add(new Maximum_Fragment_Length(session.fragment_size()));
-
if(m_version.supports_negotiable_signature_algorithms())
m_extensions.add(new Signature_Algorithms(policy.allowed_signature_hashes(),
policy.allowed_signature_methods()));
diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp
index bbc483a4e..f9962a8ee 100644
--- a/src/lib/tls/msg_server_hello.cpp
+++ b/src/lib/tls/msg_server_hello.cpp
@@ -44,9 +44,6 @@ Server_Hello::Server_Hello(Handshake_IO& io,
if(client_hello.supports_session_ticket() && offer_session_ticket)
m_extensions.add(new Session_Ticket());
- if(size_t max_fragment_size = client_hello.fragment_size())
- m_extensions.add(new Maximum_Fragment_Length(max_fragment_size));
-
if(!next_protocol.empty() && client_hello.supports_alpn())
m_extensions.add(new Application_Layer_Protocol_Notification(next_protocol));
@@ -99,9 +96,6 @@ Server_Hello::Server_Hello(Handshake_IO& io,
if(client_hello.supports_session_ticket() && offer_session_ticket)
m_extensions.add(new Session_Ticket());
- if(size_t max_fragment_size = resumed_session.fragment_size())
- m_extensions.add(new Maximum_Fragment_Length(max_fragment_size));
-
if(!next_protocol.empty() && client_hello.supports_alpn())
m_extensions.add(new Application_Layer_Protocol_Notification(next_protocol));
diff --git a/src/lib/tls/tls_channel.cpp b/src/lib/tls/tls_channel.cpp
index 44627e7bc..2cf351c80 100644
--- a/src/lib/tls/tls_channel.cpp
+++ b/src/lib/tls/tls_channel.cpp
@@ -160,22 +160,6 @@ void Channel::renegotiate(bool force_full_renegotiation)
throw Exception("Cannot renegotiate on inactive connection");
}
-size_t Channel::maximum_fragment_size() const
- {
- // should we be caching this value?
-
- if(auto pending = pending_state())
- if(auto server_hello = pending->server_hello())
- if(size_t frag = server_hello->fragment_size())
- return frag;
-
- if(auto active = active_state())
- if(size_t frag = active->server_hello()->fragment_size())
- return frag;
-
- return MAX_PLAINTEXT_SIZE;
- }
-
void Channel::change_cipher_spec_reader(Connection_Side side)
{
auto pending = pending_state();
@@ -275,8 +259,6 @@ size_t Channel::received_data(const std::vector<byte>& buf)
size_t Channel::received_data(const byte input[], size_t input_size)
{
- const size_t max_fragment_size = maximum_fragment_size();
-
try
{
while(!is_closed() && input_size)
@@ -316,9 +298,9 @@ size_t Channel::received_data(const byte input[], size_t input_size)
if(input_size == 0 && needed != 0)
return needed; // need more data to complete record
- if(record.size() > max_fragment_size)
+ if(record.size() > MAX_PLAINTEXT_SIZE)
throw TLS_Exception(Alert::RECORD_OVERFLOW,
- "TLS input record is larger than allowed maximum");
+ "TLS plaintext record is larger than allowed maximum");
if(record_type == HANDSHAKE || record_type == CHANGE_CIPHER_SPEC)
{
@@ -492,11 +474,9 @@ void Channel::send_record_array(u16bit epoch, byte type, const byte input[], siz
length -= 1;
}
- const size_t max_fragment_size = maximum_fragment_size();
-
while(length)
{
- const size_t sending = std::min(length, max_fragment_size);
+ const size_t sending = std::min<size_t>(length, MAX_PLAINTEXT_SIZE);
write_record(cipher_state.get(), epoch, type, input, sending);
input += sending;
diff --git a/src/lib/tls/tls_channel.h b/src/lib/tls/tls_channel.h
index aca5c7138..e0219c242 100644
--- a/src/lib/tls/tls_channel.h
+++ b/src/lib/tls/tls_channel.h
@@ -204,8 +204,6 @@ class BOTAN_DLL Channel
handshake_msg_cb get_handshake_msg_cb() const { return m_handshake_msg_cb; }
private:
- size_t maximum_fragment_size() const;
-
void send_record(byte record_type, const std::vector<byte>& record);
void send_record_under_epoch(u16bit epoch, byte record_type,
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 623a52225..368e4569e 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -509,7 +509,6 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
state.server_hello()->ciphersuite(),
state.server_hello()->compression_method(),
CLIENT,
- state.server_hello()->fragment_size(),
state.server_hello()->supports_extended_master_secret(),
get_peer_cert_chain(state),
session_ticket,
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp
index 6bf32f1f1..b81a0dcb9 100644
--- a/src/lib/tls/tls_extensions.cpp
+++ b/src/lib/tls/tls_extensions.cpp
@@ -24,9 +24,6 @@ Extension* make_extension(TLS_Data_Reader& reader,
case TLSEXT_SERVER_NAME_INDICATION:
return new Server_Name_Indicator(reader, size);
- case TLSEXT_MAX_FRAGMENT_LENGTH:
- return new Maximum_Fragment_Length(reader, size);
-
case TLSEXT_SRP_IDENTIFIER:
return new SRP_Identifier(reader, size);
@@ -215,53 +212,6 @@ std::vector<byte> Renegotiation_Extension::serialize() const
return buf;
}
-std::vector<byte> Maximum_Fragment_Length::serialize() const
- {
- switch(m_max_fragment)
- {
- case 512:
- return std::vector<byte>(1, 1);
- case 1024:
- return std::vector<byte>(1, 2);
- case 2048:
- return std::vector<byte>(1, 3);
- case 4096:
- return std::vector<byte>(1, 4);
- default:
- throw Invalid_Argument("Bad setting " +
- std::to_string(m_max_fragment) +
- " for maximum fragment size");
- }
- }
-
-Maximum_Fragment_Length::Maximum_Fragment_Length(TLS_Data_Reader& reader,
- u16bit extension_size)
- {
- if(extension_size != 1)
- throw Decoding_Error("Bad size for maximum fragment extension");
-
- const byte val = reader.get_byte();
-
- switch(val)
- {
- case 1:
- m_max_fragment = 512;
- break;
- case 2:
- m_max_fragment = 1024;
- break;
- case 3:
- m_max_fragment = 2048;
- break;
- case 4:
- m_max_fragment = 4096;
- break;
- default:
- throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
- "Bad value " + std::to_string(val) + " for max fragment len");
- }
- }
-
Application_Layer_Protocol_Notification::Application_Layer_Protocol_Notification(TLS_Data_Reader& reader,
u16bit extension_size)
{
diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h
index 8b2cbc096..a4ca31410 100644
--- a/src/lib/tls/tls_extensions.h
+++ b/src/lib/tls/tls_extensions.h
@@ -23,7 +23,7 @@ class TLS_Data_Reader;
enum Handshake_Extension_Type {
TLSEXT_SERVER_NAME_INDICATION = 0,
- TLSEXT_MAX_FRAGMENT_LENGTH = 1,
+ // 1 is maximum fragment length
TLSEXT_CLIENT_CERT_URL = 2,
TLSEXT_TRUSTED_CA_KEYS = 3,
TLSEXT_TRUNCATED_HMAC = 4,
@@ -150,38 +150,6 @@ class Renegotiation_Extension final : public Extension
};
/**
-* Maximum Fragment Length Negotiation Extension (RFC 4366 sec 3.2)
-*/
-class Maximum_Fragment_Length final : public Extension
- {
- public:
- static Handshake_Extension_Type static_type()
- { return TLSEXT_MAX_FRAGMENT_LENGTH; }
-
- Handshake_Extension_Type type() const override { return static_type(); }
-
- bool empty() const override { return false; }
-
- size_t fragment_size() const { return m_max_fragment; }
-
- std::vector<byte> serialize() const override;
-
- /**
- * @param max_fragment specifies what maximum fragment size to
- * advertise. Currently must be one of 512, 1024, 2048, or
- * 4096.
- */
- Maximum_Fragment_Length(size_t max_fragment) :
- m_max_fragment(max_fragment) {}
-
- Maximum_Fragment_Length(TLS_Data_Reader& reader,
- u16bit extension_size);
-
- private:
- size_t m_max_fragment;
- };
-
-/**
* ALPN (RFC 7301)
*/
class Application_Layer_Protocol_Notification final : public Extension
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index ba05ee9a7..739eca23e 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -114,13 +114,6 @@ class Client_Hello final : public Handshake_Message
return std::vector<byte>();
}
- size_t fragment_size() const
- {
- if(Maximum_Fragment_Length* frag = m_extensions.get<Maximum_Fragment_Length>())
- return frag->fragment_size();
- return 0;
- }
-
bool supports_session_ticket() const
{
return m_extensions.has<Session_Ticket>();
@@ -225,13 +218,6 @@ class Server_Hello final : public Handshake_Message
return std::vector<byte>();
}
- size_t fragment_size() const
- {
- if(Maximum_Fragment_Length* frag = m_extensions.get<Maximum_Fragment_Length>())
- return frag->fragment_size();
- return 0;
- }
-
bool supports_extended_master_secret() const
{
return m_extensions.has<Extended_Master_Secret>();
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index 76db9ce6b..6aed40479 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -665,7 +665,6 @@ void Server::process_handshake_msg(const Handshake_State* active_state,
state.server_hello()->ciphersuite(),
state.server_hello()->compression_method(),
SERVER,
- state.server_hello()->fragment_size(),
state.server_hello()->supports_extended_master_secret(),
get_peer_cert_chain(state),
std::vector<byte>(),
diff --git a/src/lib/tls/tls_session.cpp b/src/lib/tls/tls_session.cpp
index dbdb99ac8..6d5fc1a7b 100644
--- a/src/lib/tls/tls_session.cpp
+++ b/src/lib/tls/tls_session.cpp
@@ -23,7 +23,6 @@ Session::Session(const std::vector<byte>& session_identifier,
u16bit ciphersuite,
byte compression_method,
Connection_Side side,
- size_t fragment_size,
bool extended_master_secret,
const std::vector<X509_Certificate>& certs,
const std::vector<byte>& ticket,
@@ -40,7 +39,6 @@ Session::Session(const std::vector<byte>& session_identifier,
m_connection_side(side),
m_srtp_profile(srtp_profile),
m_extended_master_secret(extended_master_secret),
- m_fragment_size(fragment_size),
m_peer_certs(certs),
m_server_info(server_info),
m_srp_identifier(srp_identifier)
@@ -69,6 +67,7 @@ Session::Session(const byte ber[], size_t ber_len)
size_t start_time = 0;
size_t srtp_profile = 0;
+ size_t fragment_size = 0;
BER_Decoder(ber, ber_len)
.start_cons(SEQUENCE)
@@ -82,7 +81,7 @@ Session::Session(const byte ber[], size_t ber_len)
.decode_integer_type(m_ciphersuite)
.decode_integer_type(m_compression_method)
.decode_integer_type(side_code)
- .decode_integer_type(m_fragment_size)
+ .decode_integer_type(fragment_size)
.decode(m_extended_master_secret)
.decode(m_master_secret, OCTET_STRING)
.decode(peer_cert_bits, OCTET_STRING)
@@ -94,6 +93,16 @@ Session::Session(const byte ber[], size_t ber_len)
.end_cons()
.verify_end();
+ /*
+ Fragment size is not supported anymore, but the field is still
+ set in the session object.
+ */
+ if(fragment_size != 0)
+ {
+ throw Decoding_Error("Serialized TLS session used maximum fragment length which is "
+ " no longer supported");
+ }
+
m_version = Protocol_Version(major_version, minor_version);
m_start_time = std::chrono::system_clock::from_time_t(start_time);
m_connection_side = static_cast<Connection_Side>(side_code);
@@ -131,7 +140,7 @@ secure_vector<byte> Session::DER_encode() const
.encode(static_cast<size_t>(m_ciphersuite))
.encode(static_cast<size_t>(m_compression_method))
.encode(static_cast<size_t>(m_connection_side))
- .encode(static_cast<size_t>(m_fragment_size))
+ .encode(static_cast<size_t>(/*old fragment size*/0))
.encode(m_extended_master_secret)
.encode(m_master_secret, OCTET_STRING)
.encode(peer_cert_bits, OCTET_STRING)
diff --git a/src/lib/tls/tls_session.h b/src/lib/tls/tls_session.h
index f38ca8e27..0e22037f6 100644
--- a/src/lib/tls/tls_session.h
+++ b/src/lib/tls/tls_session.h
@@ -38,8 +38,7 @@ class BOTAN_DLL Session
m_compression_method(0),
m_connection_side(static_cast<Connection_Side>(0)),
m_srtp_profile(0),
- m_extended_master_secret(false),
- m_fragment_size(0)
+ m_extended_master_secret(false)
{}
/**
@@ -51,7 +50,6 @@ class BOTAN_DLL Session
u16bit ciphersuite,
byte compression_method,
Connection_Side side,
- size_t fragment_size,
bool supports_extended_master_secret,
const std::vector<X509_Certificate>& peer_certs,
const std::vector<byte>& session_ticket,
@@ -153,11 +151,6 @@ class BOTAN_DLL Session
const std::vector<byte>& session_id() const { return m_identifier; }
/**
- * Get the negotiated maximum fragment size (or 0 if default)
- */
- size_t fragment_size() const { return m_fragment_size; }
-
- /**
* Get the negotiated DTLS-SRTP algorithm (RFC 5764)
*/
u16bit dtls_srtp_profile() const { return m_srtp_profile; }
@@ -202,8 +195,6 @@ class BOTAN_DLL Session
u16bit m_srtp_profile;
bool m_extended_master_secret;
- size_t m_fragment_size;
-
std::vector<X509_Certificate> m_peer_certs;
Server_Information m_server_info; // optional
std::string m_srp_identifier; // optional