Disable dtls fragmentation for ClientHello messages

Set the handshake mtu to unlimited when encountering a ClienHello message and reset it to its previous value after writing the record.
2025-11-03 12:11:27 -05:00 · 2018-10-05 08:06:01 -04:00 · 2018-10-05 08:06:01 -04:00 · 6290dae909
commit 6290dae909
parent 52f8491dc2
1 changed files with 19 additions and 0 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -212,7 +212,10 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
     * delivered) of any compliant IPv4 (and IPv6) network, and should work
     * on most non-IP stacks too. */
    if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
+    {
        ssl->handshake->mtu = 508;
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
+    }

    new_timeout = 2 * ssl->handshake->retransmit_timeout;

@ -2945,6 +2948,7 @@ int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
 {
    int ret;
+    uint16_t mtu_temp = 0;
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );

    if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
@ -2979,6 +2983,15 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
            ssl_swap_epochs( ssl );
        }

+        /* Disable handshake mtu for client hello message to avoid fragmentation.
+         * Setting it back after calling mbedtls_ssl_write_record */
+        if( ssl->out_msg[0] == MBEDTLS_SSL_HS_CLIENT_HELLO )
+        {
+            mtu_temp = ssl->handshake->mtu;
+            ssl->handshake->mtu = 0;
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "disabling fragmentation of ClientHello message" ) );
+        }
+
        ret = ssl_get_remaining_payload_in_datagram( ssl );
        if( ret < 0 )
            return( ret );
@ -3077,6 +3090,12 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
            return( ret );
        }
+
+        if( mtu_temp != 0 )
+        {
+            ssl->handshake->mtu = mtu_temp;
+            mtu_temp = 0;
+        }
    }

    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )