cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-30 19:20:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add basic first tests for MTU setting

Browse Source 
For now, just check that it causes us to fragment. More tests are coming in
follow-up commits to ensure we respect the exact value set, including when
renegotiating.
This commit is contained in:
Manuel Pégourié-Gonnard 2018-08-12 13:28:53 +02:00
parent 637e234d9f
commit b747c6cf9b
4 changed files with 103 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
library/ssl_tls.c
View File

@ -2905,6 +2905,9 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
const size_t frag_len = rem_len > max_hs_fragment_len const size_t frag_len = rem_len > max_hs_fragment_len
? max_hs_fragment_len : rem_len; ? max_hs_fragment_len : rem_len;
if( frag_off == 0 && frag_len != hs_len )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message" ) );
/* Messages are stored with handshake headers as if not fragmented, /* Messages are stored with handshake headers as if not fragmented,
* copy beginning of headers then fill fragmentation fields. * copy beginning of headers then fill fragmentation fields.
* Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */ * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */

15
programs/ssl/ssl_client2.c
View File

@ -106,6 +106,7 @@ int main( void )
#define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM #define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM
#define DFL_HS_TO_MIN 0 #define DFL_HS_TO_MIN 0
#define DFL_HS_TO_MAX 0 #define DFL_HS_TO_MAX 0
#define DFL_DTLS_MTU -1
#define DFL_FALLBACK -1 #define DFL_FALLBACK -1
#define DFL_EXTENDED_MS -1 #define DFL_EXTENDED_MS -1
#define DFL_ETM -1 #define DFL_ETM -1
@ -198,7 +199,8 @@ int main( void )
#define USAGE_DTLS \ #define USAGE_DTLS \
" dtls=%%d default: 0 (TLS)\n" \ " dtls=%%d default: 0 (TLS)\n" \
" hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \ " hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \
" range of DTLS handshake timeouts in millisecs\n" " range of DTLS handshake timeouts in millisecs\n" \
" mtu=%%d default: (library default: unlimited)\n"
#else #else
#define USAGE_DTLS "" #define USAGE_DTLS ""
#endif #endif
@ -345,6 +347,7 @@ struct options
int transport; /* TLS or DTLS? */ int transport; /* TLS or DTLS? */
uint32_t hs_to_min; /* Initial value of DTLS handshake timer */ uint32_t hs_to_min; /* Initial value of DTLS handshake timer */
uint32_t hs_to_max; /* Max value of DTLS handshake timer */ uint32_t hs_to_max; /* Max value of DTLS handshake timer */
int dtls_mtu; /* UDP Maximum tranport unit for DTLS */
int fallback; /* is this a fallback connection? */ int fallback; /* is this a fallback connection? */
int extended_ms; /* negotiate extended master secret? */ int extended_ms; /* negotiate extended master secret? */
int etm; /* negotiate encrypt then mac? */ int etm; /* negotiate encrypt then mac? */
@ -617,6 +620,7 @@ int main( int argc, char *argv[] )
opt.transport = DFL_TRANSPORT; opt.transport = DFL_TRANSPORT;
opt.hs_to_min = DFL_HS_TO_MIN; opt.hs_to_min = DFL_HS_TO_MIN;
opt.hs_to_max = DFL_HS_TO_MAX; opt.hs_to_max = DFL_HS_TO_MAX;
opt.dtls_mtu = DFL_DTLS_MTU;
opt.fallback = DFL_FALLBACK; opt.fallback = DFL_FALLBACK;
opt.extended_ms = DFL_EXTENDED_MS; opt.extended_ms = DFL_EXTENDED_MS;
opt.etm = DFL_ETM; opt.etm = DFL_ETM;
@ -927,6 +931,12 @@ int main( int argc, char *argv[] )
if( opt.hs_to_min == 0 || opt.hs_to_max < opt.hs_to_min ) if( opt.hs_to_min == 0 || opt.hs_to_max < opt.hs_to_min )
goto usage; goto usage;
} }
else if( strcmp( p, "mtu" ) == 0 )
{
opt.dtls_mtu = atoi( q );
if( opt.dtls_mtu < 0 )
goto usage;
}
else if( strcmp( p, "recsplit" ) == 0 ) else if( strcmp( p, "recsplit" ) == 0 )
{ {
opt.recsplit = atoi( q ); opt.recsplit = atoi( q );
@ -1327,6 +1337,9 @@ int main( int argc, char *argv[] )
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min,
opt.hs_to_max ); opt.hs_to_max );
if( opt.dtls_mtu != DFL_DTLS_MTU )
mbedtls_ssl_conf_mtu( &conf, opt.dtls_mtu );
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)

15
programs/ssl/ssl_server2.c
View File

@ -150,6 +150,7 @@ int main( void )
#define DFL_ANTI_REPLAY -1 #define DFL_ANTI_REPLAY -1
#define DFL_HS_TO_MIN 0 #define DFL_HS_TO_MIN 0
#define DFL_HS_TO_MAX 0 #define DFL_HS_TO_MAX 0
#define DFL_DTLS_MTU -1
#define DFL_BADMAC_LIMIT -1 #define DFL_BADMAC_LIMIT -1
#define DFL_EXTENDED_MS -1 #define DFL_EXTENDED_MS -1
#define DFL_ETM -1 #define DFL_ETM -1
@ -297,7 +298,8 @@ int main( void )
#define USAGE_DTLS \ #define USAGE_DTLS \
" dtls=%%d default: 0 (TLS)\n" \ " dtls=%%d default: 0 (TLS)\n" \
" hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \ " hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \
" range of DTLS handshake timeouts in millisecs\n" " range of DTLS handshake timeouts in millisecs\n" \
" mtu=%%d default: (library default: unlimited)\n"
#else #else
#define USAGE_DTLS "" #define USAGE_DTLS ""
#endif #endif
@ -470,6 +472,7 @@ struct options
int anti_replay; /* Use anti-replay for DTLS? -1 for default */ int anti_replay; /* Use anti-replay for DTLS? -1 for default */
uint32_t hs_to_min; /* Initial value of DTLS handshake timer */ uint32_t hs_to_min; /* Initial value of DTLS handshake timer */
uint32_t hs_to_max; /* Max value of DTLS handshake timer */ uint32_t hs_to_max; /* Max value of DTLS handshake timer */
int dtls_mtu; /* UDP Maximum tranport unit for DTLS */
int badmac_limit; /* Limit of records with bad MAC */ int badmac_limit; /* Limit of records with bad MAC */
} opt; } opt;
@ -1338,6 +1341,7 @@ int main( int argc, char *argv[] )
opt.anti_replay = DFL_ANTI_REPLAY; opt.anti_replay = DFL_ANTI_REPLAY;
opt.hs_to_min = DFL_HS_TO_MIN; opt.hs_to_min = DFL_HS_TO_MIN;
opt.hs_to_max = DFL_HS_TO_MAX; opt.hs_to_max = DFL_HS_TO_MAX;
opt.dtls_mtu = DFL_DTLS_MTU;
opt.badmac_limit = DFL_BADMAC_LIMIT; opt.badmac_limit = DFL_BADMAC_LIMIT;
opt.extended_ms = DFL_EXTENDED_MS; opt.extended_ms = DFL_EXTENDED_MS;
opt.etm = DFL_ETM; opt.etm = DFL_ETM;
@ -1684,6 +1688,12 @@ int main( int argc, char *argv[] )
if( opt.hs_to_min == 0 || opt.hs_to_max < opt.hs_to_min ) if( opt.hs_to_min == 0 || opt.hs_to_max < opt.hs_to_min )
goto usage; goto usage;
} }
else if( strcmp( p, "mtu" ) == 0 )
{
opt.dtls_mtu = atoi( q );
if( opt.dtls_mtu < 0 )
goto usage;
}
else if( strcmp( p, "sni" ) == 0 ) else if( strcmp( p, "sni" ) == 0 )
{ {
opt.sni = q; opt.sni = q;
@ -2155,6 +2165,9 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max );
if( opt.dtls_mtu != DFL_DTLS_MTU )
mbedtls_ssl_conf_mtu( &conf, opt.dtls_mtu );
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)

76
tests/ssl-opt.sh
View File

@ -4911,7 +4911,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "DTLS fragmenting: server only" \ run_test "DTLS fragmenting: server only (max_frag_len)" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \ crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \ key_file=data_files/server7.key \
@ -4929,7 +4929,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "DTLS fragmenting: server only (more)" \ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \ crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \ key_file=data_files/server7.key \
@ -4947,7 +4947,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "DTLS fragmenting: client-initiated, server only" \ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
"$P_SRV dtls=1 debug_level=2 auth_mode=none \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \
crt_file=data_files/server7_int-ca.crt \ crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \ key_file=data_files/server7.key \
@ -4965,7 +4965,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "DTLS fragmenting: client-initiated, both" \ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \ crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \ key_file=data_files/server7.key \
@ -4979,6 +4979,74 @@ run_test "DTLS fragmenting: client-initiated, both" \
-c "found fragmented DTLS handshake message" \ -c "found fragmented DTLS handshake message" \
-C "error" -C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
run_test "DTLS fragmenting: none (for reference) (MTU)" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
mtu=2048" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
mtu=2048" \
0 \
-S "found fragmented DTLS handshake message" \
-C "found fragmented DTLS handshake message" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
run_test "DTLS fragmenting: client (MTU)" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
mtu=2048" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
mtu=512" \
0 \
-s "found fragmented DTLS handshake message" \
-C "found fragmented DTLS handshake message" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
run_test "DTLS fragmenting: server (MTU)" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
mtu=512" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
mtu=2048" \
0 \
-S "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
run_test "DTLS fragmenting: both (MTU)" \
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
mtu=512" \
"$P_CLI dtls=1 debug_level=2 \
crt_file=data_files/server8_int-ca2.crt \
key_file=data_files/server8.key \
mtu=512" \
0 \
-s "found fragmented DTLS handshake message" \
-c "found fragmented DTLS handshake message" \
-C "error"
# Tests for specific things with "unreliable" UDP connection # Tests for specific things with "unreliable" UDP connection
not_with_valgrind # spurious resend due to timeout not_with_valgrind # spurious resend due to timeout