Skip to content

O
openssl

btwise / openssl

通知 1
Star 0
Fork 0
O
openssl

体验新版 GitCode,发现更多精彩内容 >>

提交 aefb9256 编写于 作者: M Matt Caswell
浏览文件
操作

Don't attempt to send fragments > max_send_fragment in DTLS 

We were allocating the write buffer based on the size of max_send_fragment,
but ignoring it when writing data. We should fragment handshake messages
if they exceed max_send_fragment and reject application data writes that
are too large.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3286)
上级 bd79bcb4
隐藏空白更改
内联 并排
Showing with 11 addition and 0 deletion
include/openssl/ssl.h
浏览文件 @ aefb9256
...@@ -2607,6 +2607,7 @@ int ERR_load_SSL_strings(void); ...@@ -2607,6 +2607,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 # define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
# define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 # define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
# define SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN 204 # define SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN 204
# define SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE 194
# define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 # define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
# define SSL_R_EXTRA_DATA_IN_MESSAGE 153 # define SSL_R_EXTRA_DATA_IN_MESSAGE 153
# define SSL_R_EXT_LENGTH_MISMATCH 163 # define SSL_R_EXT_LENGTH_MISMATCH 163
......
ssl/record/rec_layer_d1.c
浏览文件 @ aefb9256
...@@ -882,6 +882,11 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, ...@@ -882,6 +882,11 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
if (len == 0 && !create_empty_fragment) if (len == 0 && !create_empty_fragment)
return 0; return 0;
if (len > s->max_send_fragment) {
SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE);
return 0;
}
sess = s->session; sess = s->session;
if ((sess == NULL) || if ((sess == NULL) ||
......
ssl/ssl_err.c
浏览文件 @ aefb9256
...@@ -590,6 +590,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = { ...@@ -590,6 +590,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"error in received cipher list"}, "error in received cipher list"},
{ERR_REASON(SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN), {ERR_REASON(SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN),
"error setting tlsa base domain"}, "error setting tlsa base domain"},
{ERR_REASON(SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE),
"exceeds max fragment size"},
{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE), "excessive message size"}, {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE), "excessive message size"},
{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE), "extra data in message"}, {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE), "extra data in message"},
{ERR_REASON(SSL_R_EXT_LENGTH_MISMATCH), "ext length mismatch"}, {ERR_REASON(SSL_R_EXT_LENGTH_MISMATCH), "ext length mismatch"},
......
ssl/statem/statem_dtls.c
浏览文件 @ aefb9256
...@@ -214,6 +214,9 @@ int dtls1_do_write(SSL *s, int type) ...@@ -214,6 +214,9 @@ int dtls1_do_write(SSL *s, int type)
else else
len = s->init_num; len = s->init_num;
if (len > s->max_send_fragment)
len = s->max_send_fragment;
/* /*
* XDTLS: this function is too long. split out the CCS part * XDTLS: this function is too long. split out the CCS part
*/ */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册