diff options
author | Jack Lloyd <[email protected]> | 2016-02-07 02:58:41 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-02-07 02:58:41 -0500 |
commit | e23cfdeb6d079a2c8d147142f31934d2c8b3a881 (patch) | |
tree | 33a26385dbc5af02940ac5f4682c8b4b508cb6c1 /src | |
parent | ceb90fb9814d5118d406efcbcda2117b6b083ad4 (diff) |
Remove support for the TLS min fragment length extension.
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/tls/msg_client_hello.cpp | 3 | ||||
-rw-r--r-- | src/lib/tls/msg_server_hello.cpp | 6 | ||||
-rw-r--r-- | src/lib/tls/tls_channel.cpp | 26 | ||||
-rw-r--r-- | src/lib/tls/tls_channel.h | 2 | ||||
-rw-r--r-- | src/lib/tls/tls_client.cpp | 1 | ||||
-rw-r--r-- | src/lib/tls/tls_extensions.cpp | 50 | ||||
-rw-r--r-- | src/lib/tls/tls_extensions.h | 34 | ||||
-rw-r--r-- | src/lib/tls/tls_messages.h | 14 | ||||
-rw-r--r-- | src/lib/tls/tls_server.cpp | 1 | ||||
-rw-r--r-- | src/lib/tls/tls_session.cpp | 17 | ||||
-rw-r--r-- | src/lib/tls/tls_session.h | 11 |
11 files changed, 18 insertions, 147 deletions
diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp index 34edac29c..43ab84f33 100644 --- a/src/lib/tls/msg_client_hello.cpp +++ b/src/lib/tls/msg_client_hello.cpp @@ -141,9 +141,6 @@ Client_Hello::Client_Hello(Handshake_IO& io, m_extensions.add(new Session_Ticket(session.session_ticket())); m_extensions.add(new Supported_Elliptic_Curves(policy.allowed_ecc_curves())); - if(session.fragment_size() != 0) - m_extensions.add(new Maximum_Fragment_Length(session.fragment_size())); - if(m_version.supports_negotiable_signature_algorithms()) m_extensions.add(new Signature_Algorithms(policy.allowed_signature_hashes(), policy.allowed_signature_methods())); diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp index bbc483a4e..f9962a8ee 100644 --- a/src/lib/tls/msg_server_hello.cpp +++ b/src/lib/tls/msg_server_hello.cpp @@ -44,9 +44,6 @@ Server_Hello::Server_Hello(Handshake_IO& io, if(client_hello.supports_session_ticket() && offer_session_ticket) m_extensions.add(new Session_Ticket()); - if(size_t max_fragment_size = client_hello.fragment_size()) - m_extensions.add(new Maximum_Fragment_Length(max_fragment_size)); - if(!next_protocol.empty() && client_hello.supports_alpn()) m_extensions.add(new Application_Layer_Protocol_Notification(next_protocol)); @@ -99,9 +96,6 @@ Server_Hello::Server_Hello(Handshake_IO& io, if(client_hello.supports_session_ticket() && offer_session_ticket) m_extensions.add(new Session_Ticket()); - if(size_t max_fragment_size = resumed_session.fragment_size()) - m_extensions.add(new Maximum_Fragment_Length(max_fragment_size)); - if(!next_protocol.empty() && client_hello.supports_alpn()) m_extensions.add(new Application_Layer_Protocol_Notification(next_protocol)); diff --git a/src/lib/tls/tls_channel.cpp b/src/lib/tls/tls_channel.cpp index 44627e7bc..2cf351c80 100644 --- a/src/lib/tls/tls_channel.cpp +++ b/src/lib/tls/tls_channel.cpp @@ -160,22 +160,6 @@ void Channel::renegotiate(bool force_full_renegotiation) throw Exception("Cannot renegotiate on inactive connection"); } -size_t Channel::maximum_fragment_size() const - { - // should we be caching this value? - - if(auto pending = pending_state()) - if(auto server_hello = pending->server_hello()) - if(size_t frag = server_hello->fragment_size()) - return frag; - - if(auto active = active_state()) - if(size_t frag = active->server_hello()->fragment_size()) - return frag; - - return MAX_PLAINTEXT_SIZE; - } - void Channel::change_cipher_spec_reader(Connection_Side side) { auto pending = pending_state(); @@ -275,8 +259,6 @@ size_t Channel::received_data(const std::vector<byte>& buf) size_t Channel::received_data(const byte input[], size_t input_size) { - const size_t max_fragment_size = maximum_fragment_size(); - try { while(!is_closed() && input_size) @@ -316,9 +298,9 @@ size_t Channel::received_data(const byte input[], size_t input_size) if(input_size == 0 && needed != 0) return needed; // need more data to complete record - if(record.size() > max_fragment_size) + if(record.size() > MAX_PLAINTEXT_SIZE) throw TLS_Exception(Alert::RECORD_OVERFLOW, - "TLS input record is larger than allowed maximum"); + "TLS plaintext record is larger than allowed maximum"); if(record_type == HANDSHAKE || record_type == CHANGE_CIPHER_SPEC) { @@ -492,11 +474,9 @@ void Channel::send_record_array(u16bit epoch, byte type, const byte input[], siz length -= 1; } - const size_t max_fragment_size = maximum_fragment_size(); - while(length) { - const size_t sending = std::min(length, max_fragment_size); + const size_t sending = std::min<size_t>(length, MAX_PLAINTEXT_SIZE); write_record(cipher_state.get(), epoch, type, input, sending); input += sending; diff --git a/src/lib/tls/tls_channel.h b/src/lib/tls/tls_channel.h index aca5c7138..e0219c242 100644 --- a/src/lib/tls/tls_channel.h +++ b/src/lib/tls/tls_channel.h @@ -204,8 +204,6 @@ class BOTAN_DLL Channel handshake_msg_cb get_handshake_msg_cb() const { return m_handshake_msg_cb; } private: - size_t maximum_fragment_size() const; - void send_record(byte record_type, const std::vector<byte>& record); void send_record_under_epoch(u16bit epoch, byte record_type, diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index 623a52225..368e4569e 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -509,7 +509,6 @@ void Client::process_handshake_msg(const Handshake_State* active_state, state.server_hello()->ciphersuite(), state.server_hello()->compression_method(), CLIENT, - state.server_hello()->fragment_size(), state.server_hello()->supports_extended_master_secret(), get_peer_cert_chain(state), session_ticket, diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp index 6bf32f1f1..b81a0dcb9 100644 --- a/src/lib/tls/tls_extensions.cpp +++ b/src/lib/tls/tls_extensions.cpp @@ -24,9 +24,6 @@ Extension* make_extension(TLS_Data_Reader& reader, case TLSEXT_SERVER_NAME_INDICATION: return new Server_Name_Indicator(reader, size); - case TLSEXT_MAX_FRAGMENT_LENGTH: - return new Maximum_Fragment_Length(reader, size); - case TLSEXT_SRP_IDENTIFIER: return new SRP_Identifier(reader, size); @@ -215,53 +212,6 @@ std::vector<byte> Renegotiation_Extension::serialize() const return buf; } -std::vector<byte> Maximum_Fragment_Length::serialize() const - { - switch(m_max_fragment) - { - case 512: - return std::vector<byte>(1, 1); - case 1024: - return std::vector<byte>(1, 2); - case 2048: - return std::vector<byte>(1, 3); - case 4096: - return std::vector<byte>(1, 4); - default: - throw Invalid_Argument("Bad setting " + - std::to_string(m_max_fragment) + - " for maximum fragment size"); - } - } - -Maximum_Fragment_Length::Maximum_Fragment_Length(TLS_Data_Reader& reader, - u16bit extension_size) - { - if(extension_size != 1) - throw Decoding_Error("Bad size for maximum fragment extension"); - - const byte val = reader.get_byte(); - - switch(val) - { - case 1: - m_max_fragment = 512; - break; - case 2: - m_max_fragment = 1024; - break; - case 3: - m_max_fragment = 2048; - break; - case 4: - m_max_fragment = 4096; - break; - default: - throw TLS_Exception(Alert::ILLEGAL_PARAMETER, - "Bad value " + std::to_string(val) + " for max fragment len"); - } - } - Application_Layer_Protocol_Notification::Application_Layer_Protocol_Notification(TLS_Data_Reader& reader, u16bit extension_size) { diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h index 8b2cbc096..a4ca31410 100644 --- a/src/lib/tls/tls_extensions.h +++ b/src/lib/tls/tls_extensions.h @@ -23,7 +23,7 @@ class TLS_Data_Reader; enum Handshake_Extension_Type { TLSEXT_SERVER_NAME_INDICATION = 0, - TLSEXT_MAX_FRAGMENT_LENGTH = 1, + // 1 is maximum fragment length TLSEXT_CLIENT_CERT_URL = 2, TLSEXT_TRUSTED_CA_KEYS = 3, TLSEXT_TRUNCATED_HMAC = 4, @@ -150,38 +150,6 @@ class Renegotiation_Extension final : public Extension }; /** -* Maximum Fragment Length Negotiation Extension (RFC 4366 sec 3.2) -*/ -class Maximum_Fragment_Length final : public Extension - { - public: - static Handshake_Extension_Type static_type() - { return TLSEXT_MAX_FRAGMENT_LENGTH; } - - Handshake_Extension_Type type() const override { return static_type(); } - - bool empty() const override { return false; } - - size_t fragment_size() const { return m_max_fragment; } - - std::vector<byte> serialize() const override; - - /** - * @param max_fragment specifies what maximum fragment size to - * advertise. Currently must be one of 512, 1024, 2048, or - * 4096. - */ - Maximum_Fragment_Length(size_t max_fragment) : - m_max_fragment(max_fragment) {} - - Maximum_Fragment_Length(TLS_Data_Reader& reader, - u16bit extension_size); - - private: - size_t m_max_fragment; - }; - -/** * ALPN (RFC 7301) */ class Application_Layer_Protocol_Notification final : public Extension diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h index ba05ee9a7..739eca23e 100644 --- a/src/lib/tls/tls_messages.h +++ b/src/lib/tls/tls_messages.h @@ -114,13 +114,6 @@ class Client_Hello final : public Handshake_Message return std::vector<byte>(); } - size_t fragment_size() const - { - if(Maximum_Fragment_Length* frag = m_extensions.get<Maximum_Fragment_Length>()) - return frag->fragment_size(); - return 0; - } - bool supports_session_ticket() const { return m_extensions.has<Session_Ticket>(); @@ -225,13 +218,6 @@ class Server_Hello final : public Handshake_Message return std::vector<byte>(); } - size_t fragment_size() const - { - if(Maximum_Fragment_Length* frag = m_extensions.get<Maximum_Fragment_Length>()) - return frag->fragment_size(); - return 0; - } - bool supports_extended_master_secret() const { return m_extensions.has<Extended_Master_Secret>(); diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index 76db9ce6b..6aed40479 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -665,7 +665,6 @@ void Server::process_handshake_msg(const Handshake_State* active_state, state.server_hello()->ciphersuite(), state.server_hello()->compression_method(), SERVER, - state.server_hello()->fragment_size(), state.server_hello()->supports_extended_master_secret(), get_peer_cert_chain(state), std::vector<byte>(), diff --git a/src/lib/tls/tls_session.cpp b/src/lib/tls/tls_session.cpp index dbdb99ac8..6d5fc1a7b 100644 --- a/src/lib/tls/tls_session.cpp +++ b/src/lib/tls/tls_session.cpp @@ -23,7 +23,6 @@ Session::Session(const std::vector<byte>& session_identifier, u16bit ciphersuite, byte compression_method, Connection_Side side, - size_t fragment_size, bool extended_master_secret, const std::vector<X509_Certificate>& certs, const std::vector<byte>& ticket, @@ -40,7 +39,6 @@ Session::Session(const std::vector<byte>& session_identifier, m_connection_side(side), m_srtp_profile(srtp_profile), m_extended_master_secret(extended_master_secret), - m_fragment_size(fragment_size), m_peer_certs(certs), m_server_info(server_info), m_srp_identifier(srp_identifier) @@ -69,6 +67,7 @@ Session::Session(const byte ber[], size_t ber_len) size_t start_time = 0; size_t srtp_profile = 0; + size_t fragment_size = 0; BER_Decoder(ber, ber_len) .start_cons(SEQUENCE) @@ -82,7 +81,7 @@ Session::Session(const byte ber[], size_t ber_len) .decode_integer_type(m_ciphersuite) .decode_integer_type(m_compression_method) .decode_integer_type(side_code) - .decode_integer_type(m_fragment_size) + .decode_integer_type(fragment_size) .decode(m_extended_master_secret) .decode(m_master_secret, OCTET_STRING) .decode(peer_cert_bits, OCTET_STRING) @@ -94,6 +93,16 @@ Session::Session(const byte ber[], size_t ber_len) .end_cons() .verify_end(); + /* + Fragment size is not supported anymore, but the field is still + set in the session object. + */ + if(fragment_size != 0) + { + throw Decoding_Error("Serialized TLS session used maximum fragment length which is " + " no longer supported"); + } + m_version = Protocol_Version(major_version, minor_version); m_start_time = std::chrono::system_clock::from_time_t(start_time); m_connection_side = static_cast<Connection_Side>(side_code); @@ -131,7 +140,7 @@ secure_vector<byte> Session::DER_encode() const .encode(static_cast<size_t>(m_ciphersuite)) .encode(static_cast<size_t>(m_compression_method)) .encode(static_cast<size_t>(m_connection_side)) - .encode(static_cast<size_t>(m_fragment_size)) + .encode(static_cast<size_t>(/*old fragment size*/0)) .encode(m_extended_master_secret) .encode(m_master_secret, OCTET_STRING) .encode(peer_cert_bits, OCTET_STRING) diff --git a/src/lib/tls/tls_session.h b/src/lib/tls/tls_session.h index f38ca8e27..0e22037f6 100644 --- a/src/lib/tls/tls_session.h +++ b/src/lib/tls/tls_session.h @@ -38,8 +38,7 @@ class BOTAN_DLL Session m_compression_method(0), m_connection_side(static_cast<Connection_Side>(0)), m_srtp_profile(0), - m_extended_master_secret(false), - m_fragment_size(0) + m_extended_master_secret(false) {} /** @@ -51,7 +50,6 @@ class BOTAN_DLL Session u16bit ciphersuite, byte compression_method, Connection_Side side, - size_t fragment_size, bool supports_extended_master_secret, const std::vector<X509_Certificate>& peer_certs, const std::vector<byte>& session_ticket, @@ -153,11 +151,6 @@ class BOTAN_DLL Session const std::vector<byte>& session_id() const { return m_identifier; } /** - * Get the negotiated maximum fragment size (or 0 if default) - */ - size_t fragment_size() const { return m_fragment_size; } - - /** * Get the negotiated DTLS-SRTP algorithm (RFC 5764) */ u16bit dtls_srtp_profile() const { return m_srtp_profile; } @@ -202,8 +195,6 @@ class BOTAN_DLL Session u16bit m_srtp_profile; bool m_extended_master_secret; - size_t m_fragment_size; - std::vector<X509_Certificate> m_peer_certs; Server_Information m_server_info; // optional std::string m_srp_identifier; // optional |