From 34aa187df6a914d94d56d8b3aeab5692a1a3d59c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 23 Aug 2018 19:07:15 +0200 Subject: [PATCH 1/8] Force IPv4 for gnutls-cli DTLS tests Depending on the settings of the local machine, gnutls-cli will either try IPv4 or IPv6 when trying to connect to localhost. With TLS, whatever it tries first, it will notice if any failure happens and try the other protocol if necessary. With DTLS it can't do that. Unfortunately for now there isn't really any good way to specify an address and hostname independently, though that might come soon: https://gitlab.com/gnutls/gnutls/issues/344 A work around is to specify an address directly and then use --insecure to ignore certificate hostname mismatch; that is OK for tests that are completely unrelated to certificate verification (such as the recent fragmenting tests) but unacceptable for others. For that reason, don't specify a default hostname for gnutls-cli, but instead let each test choose between `--insecure 127.0.0.1` and `localhost` (or `--insecure '::1'` if desired). Alternatives include: - having test certificates with 127.0.0.1 as the hostname, but having an IP as the CN is unusual, and we would need to change our test certs; - have our server open two sockets under the hood and listen on both IPv4 and IPv6 (that's what gnutls-serv does, and IMO it's a good thing) but that obviously requires development and testing (esp. for windows compatibility) - wait for a newer version of GnuTLS to be released, install it on the CI and developer machines, and use that in all tests - quite satisfying but can't be done now (and puts stronger requirements on test environment). --- tests/ssl-opt.sh | 52 ++++++++++++++++++++---------------------------- 1 file changed, 22 insertions(+), 30 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ec2717ad57..e89d3a9817 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -765,7 +765,7 @@ P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem" O_CLI="$O_CLI -connect localhost:+SRV_PORT" G_SRV="$G_SRV -p $SRV_PORT" -G_CLI="$G_CLI -p +SRV_PORT localhost" +G_CLI="$G_CLI -p +SRV_PORT" if [ -n "${OPENSSL_LEGACY:-}" ]; then O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem" @@ -777,7 +777,7 @@ if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then fi if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then - G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT localhost" + G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT" fi # Allow SHA-1, because many of our test certificates use it @@ -2118,7 +2118,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \ requires_gnutls run_test "Renego ext: gnutls client strict, server default" \ "$P_SRV debug_level=3" \ - "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \ + "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ -s "server hello, secure renegotiation extension" @@ -2126,7 +2126,7 @@ run_test "Renego ext: gnutls client strict, server default" \ requires_gnutls run_test "Renego ext: gnutls client unsafe, server default" \ "$P_SRV debug_level=3" \ - "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ + "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ -S "server hello, secure renegotiation extension" @@ -2134,7 +2134,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \ requires_gnutls run_test "Renego ext: gnutls client unsafe, server break legacy" \ "$P_SRV debug_level=3 allow_legacy=-1" \ - "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ + "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ 1 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ -S "server hello, secure renegotiation extension" @@ -2145,7 +2145,7 @@ requires_gnutls run_test "DER format: no trailing bytes" \ "$P_SRV crt_file=data_files/server5-der0.crt \ key_file=data_files/server5.key" \ - "$G_CLI " \ + "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -2153,7 +2153,7 @@ requires_gnutls run_test "DER format: with a trailing zero byte" \ "$P_SRV crt_file=data_files/server5-der1a.crt \ key_file=data_files/server5.key" \ - "$G_CLI " \ + "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -2161,7 +2161,7 @@ requires_gnutls run_test "DER format: with a trailing random byte" \ "$P_SRV crt_file=data_files/server5-der1b.crt \ key_file=data_files/server5.key" \ - "$G_CLI " \ + "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -2169,7 +2169,7 @@ requires_gnutls run_test "DER format: with 2 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der2.crt \ key_file=data_files/server5.key" \ - "$G_CLI " \ + "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -2177,7 +2177,7 @@ requires_gnutls run_test "DER format: with 4 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der4.crt \ key_file=data_files/server5.key" \ - "$G_CLI " \ + "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -2185,7 +2185,7 @@ requires_gnutls run_test "DER format: with 8 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der8.crt \ key_file=data_files/server5.key" \ - "$G_CLI " \ + "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -2193,7 +2193,7 @@ requires_gnutls run_test "DER format: with 9 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der9.crt \ key_file=data_files/server5.key" \ - "$G_CLI " \ + "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -3758,14 +3758,14 @@ run_test "Per-version suites: TLS 1.2" \ requires_gnutls run_test "ClientHello without extensions, SHA-1 allowed" \ "$P_SRV debug_level=3" \ - "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \ + "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -s "dumping 'client hello extensions' (0 bytes)" requires_gnutls run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \ "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \ - "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \ + "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -s "dumping 'client hello extensions' (0 bytes)" @@ -5394,35 +5394,31 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ -c "fragmenting handshake message" \ -C "error" -# gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS -requires_ipv6 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ - "$P_SRV dtls=1 debug_level=2 server_addr=::1 \ + "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ mtu=512 force_version=dtls1_2" \ - "$G_CLI -u" \ + "$G_CLI -u --insecure 127.0.0.1" \ 0 \ -s "fragmenting handshake message" -# gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS -requires_ipv6 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_gnutls run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ - "$P_SRV dtls=1 debug_level=2 server_addr=::1 \ + "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ mtu=512 force_version=dtls1" \ - "$G_CLI -u" \ + "$G_CLI -u --insecure 127.0.0.1" \ 0 \ -s "fragmenting handshake message" @@ -5524,8 +5520,6 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ ## We can re-enable them when a fixed version fo GnuTLS is available ## and installed in our CI system. ## -## # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS -## requires_ipv6 ## requires_gnutls ## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS ## requires_config_enabled MBEDTLS_RSA_C @@ -5534,16 +5528,14 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ ## client_needs_more_time 4 ## run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ ## -p "$P_PXY drop=8 delay=8 duplicate=8" \ -## "$P_SRV dtls=1 debug_level=2 server_addr=::1 \ +## "$P_SRV dtls=1 debug_level=2 \ ## crt_file=data_files/server7_int-ca.crt \ ## key_file=data_files/server7.key \ ## hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ -## "$G_CLI -u" \ +## "$G_CLI -u --insecure 127.0.0.1" \ ## 0 \ ## -s "fragmenting handshake message" ## -## # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS -## requires_ipv6 ## requires_gnutls ## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS ## requires_config_enabled MBEDTLS_RSA_C @@ -5552,11 +5544,11 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ ## client_needs_more_time 4 ## run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ ## -p "$P_PXY drop=8 delay=8 duplicate=8" \ -## "$P_SRV dtls=1 debug_level=2 server_addr=::1 \ +## "$P_SRV dtls=1 debug_level=2 \ ## crt_file=data_files/server7_int-ca.crt \ ## key_file=data_files/server7.key \ ## hs_timeout=250-60000 mtu=512 force_version=dtls1" \ -## "$G_CLI -u" \ +## "$G_CLI -u --insecure 127.0.0.1" \ ## 0 \ ## -s "fragmenting handshake message" From c83d2b3e095e114d2cdaf7597bfc6cbb318ccf8d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 22 Aug 2018 16:05:47 +0100 Subject: [PATCH 2/8] ssl_write_handshake_msg(): Allow alert on client-side SSLv3 In SSLv3, the client sends a NoCertificate alert in response to a CertificateRequest if it doesn't have a CRT. This previously lead to failure in ssl_write_handshake_msg() which only accepted handshake or CCS records. --- library/ssl_tls.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index faa9467e10..d22b0e228d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3049,11 +3049,19 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) /* * Sanity checks */ - if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && + if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + /* In SSLv3, the client might send a NoCertificate alert. */ +#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) + if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && + ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT && + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ) +#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } } if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && From 081bd81865881b82fc5d04847189b01fe4df8c1e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 22 Aug 2018 16:07:59 +0100 Subject: [PATCH 3/8] ssl_write_handshake_msg(): Always append CCS messages to flights The previous code appended messages to flights only if their handshake type, as derived from the first byte in the message, was different from MBEDTLS_SSL_HS_HELLO_REQUEST. This check should only be performed for handshake records, while CCS records should immediately be appended. --- library/ssl_tls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d22b0e228d..3a972a5982 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3142,7 +3142,8 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) /* Either send now, or just save to be sent (and resent) later */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) + ( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || + hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) ) { if( ( ret = ssl_flight_append( ssl ) ) != 0 ) { From f4b010efc4b7f5056847810b4be4c960006b78cb Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 24 Aug 2018 10:47:29 +0100 Subject: [PATCH 4/8] Limit MTU by maximum fragment length setting By the standard (RFC 6066, Sect. 4), the Maximum Fragment Length (MFL) extension limits the maximum record payload size, but not the maximum datagram size. However, not inferring any limitations on the MTU when setting the MFL means that a party has no means to dynamically inform the peer about MTU limitations. This commit changes the function ssl_get_remaining_payload_in_datagram() to never return more than MFL - { Total size of all records within the current datagram } thereby limiting the MTU to MFL + { Maximum Record Expansion }. --- library/ssl_tls.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0ea7898cf7..37ba93baff 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -146,6 +146,20 @@ static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl if( max_len > mfl ) max_len = mfl; + + /* By the standard (RFC 6066 Sect. 4), the MFL extension + * only limits the maximum record payload size, so in theory + * we would be allowed to pack multiple records of payload size + * MFL into a single datagram. However, this would mean that there's + * no way to explicitly communicate MTU restrictions to the peer. + * + * The following reduction of max_len makes sure that we never + * write datagrams larger than MFL + Record Expansion Overhead. + */ + if( max_len <= ssl->out_left ) + return( 0 ); + + max_len -= ssl->out_left; #endif ret = ssl_get_remaining_space_in_datagram( ssl ); From 1841b0a11c34e2c9bda4ccc5c72eb35313a226d5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 24 Aug 2018 11:13:57 +0100 Subject: [PATCH 5/8] Rename ssl_conf_datagram_packing() to ssl_set_datagram_packing() The naming convention is that functions of the form mbedtls_ssl_conf_xxx() apply to the SSL configuration. --- ChangeLog | 2 +- include/mbedtls/ssl.h | 4 ++-- library/ssl_tls.c | 4 ++-- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4bf4c8eb90..8f05896b75 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,7 +14,7 @@ Features enabled by default. API Changes - * Add function mbedtls_ssl_conf_datagram_packing() to configure + * Add function mbedtls_ssl_set_datagram_packing() to configure the use of datagram packing (enabled by default). Bugfix diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c86a0f9286..e7f7ea40b4 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1842,8 +1842,8 @@ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limi * are currently always sent in separate datagrams. * */ -void mbedtls_ssl_conf_datagram_packing( mbedtls_ssl_context *ssl, - unsigned allow_packing ); +void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl, + unsigned allow_packing ); /** * \brief Set retransmit timeout values for the DTLS handshake. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 37ba93baff..378137c7e0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6477,8 +6477,8 @@ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limi #if defined(MBEDTLS_SSL_PROTO_DTLS) -void mbedtls_ssl_conf_datagram_packing( mbedtls_ssl_context *ssl, - unsigned allow_packing ) +void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl, + unsigned allow_packing ) { ssl->disable_datagram_packing = !allow_packing; } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index cfcb27d1cc..efd2b30434 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1354,7 +1354,7 @@ int main( int argc, char *argv[] ) opt.hs_to_max ); if( opt.dgram_packing != DFL_DGRAM_PACKING ) - mbedtls_ssl_conf_datagram_packing( &ssl, opt.dgram_packing ); + mbedtls_ssl_set_datagram_packing( &ssl, opt.dgram_packing ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 8d414364a4..070c005553 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2182,7 +2182,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); if( opt.dgram_packing != DFL_DGRAM_PACKING ) - mbedtls_ssl_conf_datagram_packing( &ssl, opt.dgram_packing ); + mbedtls_ssl_set_datagram_packing( &ssl, opt.dgram_packing ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) From eb57008d7d02d547b74a20fc5b210d25b9547f52 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 24 Aug 2018 11:28:35 +0100 Subject: [PATCH 6/8] Fix typo in documentation of mbedtls_ssl_set_datagram_packing() --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e7f7ea40b4..da4b688287 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1838,7 +1838,7 @@ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limi * or flight retransmission (if no buffering is used) as * means to deal with reordering are needed less frequently. * - * \note Application datagrams are not affected by this option and + * \note Application records are not affected by this option and * are currently always sent in separate datagrams. * */ From c92b5c8a0d913cf32586623e065ba113867593a6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 24 Aug 2018 11:48:01 +0100 Subject: [PATCH 7/8] ssl-opt.sh: Add tests checking that MFL implies bounds on MTU This commit introduces some tests to ssl-opt.sh checking that setting the MFL limits the MTU to MFL + { Maximum Record Expansion }. --- tests/ssl-opt.sh | 78 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e63d45fafc..9ac80a5cf2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5038,6 +5038,32 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ -c "found fragmented DTLS handshake message" \ -C "error" +# While not required by the standard defining the MFL extension +# (according to which it only applies to records, not to datagrams), +# Mbed TLS will never send datagrams larger than MFL + { Max record expansion }, +# as otherwise there wouldn't be any means to communicate MTU restrictions +# to the peer. +# The next test checks that no datagrams significantly larger than the +# negotiated MFL are sent. +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "DTLS fragmenting: server only (more) (max_frag_len), proxy MTU" \ + -p "$P_PXY mtu=560" \ + "$P_SRV dtls=1 debug_level=2 auth_mode=required \ + crt_file=data_files/server7_int-ca.crt \ + key_file=data_files/server7.key \ + max_frag_len=512" \ + "$P_CLI dtls=1 debug_level=2 \ + crt_file=data_files/server8_int-ca2.crt \ + key_file=data_files/server8.key \ + max_frag_len=2048" \ + 0 \ + -S "found fragmented DTLS handshake message" \ + -c "found fragmented DTLS handshake message" \ + -C "error" + requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -5056,6 +5082,32 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ -c "found fragmented DTLS handshake message" \ -C "error" +# While not required by the standard defining the MFL extension +# (according to which it only applies to records, not to datagrams), +# Mbed TLS will never send datagrams larger than MFL + { Max record expansion }, +# as otherwise there wouldn't be any means to communicate MTU restrictions +# to the peer. +# The next test checks that no datagrams significantly larger than the +# negotiated MFL are sent. +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \ + -p "$P_PXY mtu=560" \ + "$P_SRV dtls=1 debug_level=2 auth_mode=none \ + crt_file=data_files/server7_int-ca.crt \ + key_file=data_files/server7.key \ + max_frag_len=2048" \ + "$P_CLI dtls=1 debug_level=2 \ + crt_file=data_files/server8_int-ca2.crt \ + key_file=data_files/server8.key \ + max_frag_len=512" \ + 0 \ + -S "found fragmented DTLS handshake message" \ + -c "found fragmented DTLS handshake message" \ + -C "error" + requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -5074,6 +5126,32 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ -c "found fragmented DTLS handshake message" \ -C "error" +# While not required by the standard defining the MFL extension +# (according to which it only applies to records, not to datagrams), +# Mbed TLS will never send datagrams larger than MFL + { Max record expansion }, +# as otherwise there wouldn't be any means to communicate MTU restrictions +# to the peer. +# The next test checks that no datagrams significantly larger than the +# negotiated MFL are sent. +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \ + -p "$P_PXY mtu=560" \ + "$P_SRV dtls=1 debug_level=2 auth_mode=required \ + crt_file=data_files/server7_int-ca.crt \ + key_file=data_files/server7.key \ + max_frag_len=2048" \ + "$P_CLI dtls=1 debug_level=2 \ + crt_file=data_files/server8_int-ca2.crt \ + key_file=data_files/server8.key \ + max_frag_len=512" \ + 0 \ + -s "found fragmented DTLS handshake message" \ + -c "found fragmented DTLS handshake message" \ + -C "error" + requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C From 69ca0ad5c4e5dda5143793bcb114022edc18a473 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 24 Aug 2018 12:11:35 +0100 Subject: [PATCH 8/8] ssl-opt.sh: Remove wrong test exercising MTU implications of MFL The negotiated MFL is always the one suggested by the client, even if the server has a smaller MFL configured locally. Hence, in the test where the client asks for an MFL of 4096 bytes while the server locally has an MFL of 512 bytes configured, the client will still send datagrams of up to ~4K size. --- tests/ssl-opt.sh | 32 +++++--------------------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 953afae556..211c8544b6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5020,6 +5020,10 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ -c "found fragmented DTLS handshake message" \ -C "error" +# With the MFL extension, the server has no way of forcing +# the client to not exceed a certain MTU; hence, the following +# test can't be replicated with an MTU proxy such as the one +# `client-initiated, server only (max_frag_len)` below. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -5032,33 +5036,7 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ - max_frag_len=2048" \ - 0 \ - -S "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# While not required by the standard defining the MFL extension -# (according to which it only applies to records, not to datagrams), -# Mbed TLS will never send datagrams larger than MFL + { Max record expansion }, -# as otherwise there wouldn't be any means to communicate MTU restrictions -# to the peer. -# The next test checks that no datagrams significantly larger than the -# negotiated MFL are sent. -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "DTLS fragmenting: server only (more) (max_frag_len), proxy MTU" \ - -p "$P_PXY mtu=560" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - max_frag_len=512" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - max_frag_len=2048" \ + max_frag_len=4096" \ 0 \ -S "found fragmented DTLS handshake message" \ -c "found fragmented DTLS handshake message" \