diff --git a/ChangeLog b/ChangeLog index b05c962fa..975b3bac0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,9 +5,11 @@ mbed TLS ChangeLog (Sorted per branch, date) Features * Add support for fragmentation of outgoing DTLS handshake messages. This is controlled by the maximum fragment length as set locally or negotiated - with the peer, as well as new per-connection MTU option, set using + with the peer, as well as by a new per-connection MTU option, set using mbedtls_ssl_set_mtu(). - * Add support for fragmentation of outoing DTLS handshake messages. + * Add support for auto-adjustment of MTU to a safe value during the + handshake when flights do not get through (RFC 6347, section 4.1.1.1, + last paragraph). * Add support for packing multiple records within a single datagram, enabled by default. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c1fad6ab4..b6700fc90 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1400,23 +1400,28 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * the maximum size datagram the DTLS layer will pass to the * \c f_send() callback set using \c mbedtls_ssl_set_bio(). * + * \note The limit on datagram size is converted to a limit on + * record payload by subtracting the current overhead of + * encapsulation and encryption/authentication if any. + * * \note This can be called at any point during the connection, for * example when a PMTU estimate becomes available from other * sources, such as lower (or higher) protocol layers. * - * \note This only controls the size of the packets we send. - * Client-side, you can request the server to use smaller - * records with \c mbedtls_ssl_conf_max_frag_len(). + * \note This setting only controls the size of the packets we send, + * and does not restrict the size of the datagrams we're + * willing to receive. Client-side, you can request the + * server to use smaller records with \c + * mbedtls_ssl_conf_max_frag_len(). * * \note If both a MTU and a maximum fragment length have been * configured (or negotiated with the peer), the resulting - * lower limit (after translating the MTU setting to a limit - * on the record content length) is used. + * lower limit on record payload (see first note) is used. * * \note This can only be used to decrease the maximum size - * of datagrams sent. It cannot be used to increase the - * maximum size of records over the limit set by - * #MBEDTLS_SSL_OUT_CONTENT_LEN. + * of datagrams (hence records, see first note) sent. It + * cannot be used to increase the maximum size of records over + * the limit set by #MBEDTLS_SSL_OUT_CONTENT_LEN. * * \note Values lower than the current record layer expansion will * result in an error when trying to send data. diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 2c0684f3d..3f595a322 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -334,6 +334,8 @@ struct mbedtls_ssl_handshake_params } future_record; } buffering; + + uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index eceac913d..5fccedffe 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -109,9 +109,10 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_DTLS) +static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl ); static uint16_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl ) { - uint16_t mtu = ssl->mtu; + uint16_t mtu = ssl_get_current_mtu( ssl ); if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN ) return( (int) mtu ); @@ -184,6 +185,15 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) return( -1 ); + /* Implement the final paragraph of RFC 6347 section 4.1.1.1 + * in the following way: after the initial transmission and a first + * retransmission, back off to a temporary estimated MTU of 508 bytes. + * This value is guaranteed to be deliverable (if not guaranteed to be + * delivered) of any compliant IPv4 (and IPv6) network, and should work + * on most non-IP stacks too. */ + if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min ) + ssl->handshake->mtu = 508; + new_timeout = 2 * ssl->handshake->retransmit_timeout; /* Avoid arithmetic overflow and range overflow */ @@ -7832,10 +7842,29 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ +#if defined(MBEDTLS_SSL_PROTO_DTLS) +static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl ) +{ + if( ssl->handshake == NULL || ssl->handshake->mtu == 0 ) + return( ssl->mtu ); + + if( ssl->mtu == 0 ) + return( ssl->handshake->mtu ); + + return( ssl->mtu < ssl->handshake->mtu ? + ssl->mtu : ssl->handshake->mtu ); +} +#endif /* MBEDTLS_SSL_PROTO_DTLS */ + int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ) { size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; +#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ + !defined(MBEDTLS_SSL_PROTO_DTLS) + (void) ssl; +#endif + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl ); @@ -7844,9 +7873,9 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->mtu != 0 ) + if( ssl_get_current_mtu( ssl ) != 0 ) { - const size_t mtu = ssl->mtu; + const size_t mtu = ssl_get_current_mtu( ssl ); const int ret = mbedtls_ssl_get_record_expansion( ssl ); const size_t overhead = (size_t) ret; @@ -7862,7 +7891,7 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ) if( max_len > mtu - overhead ) max_len = mtu - overhead; } -#endif +#endif /* MBEDTLS_SSL_PROTO_DTLS */ #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ !defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 657aa8a7c..b77c096fb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5143,7 +5143,28 @@ run_test "DTLS fragmenting: both (MTU)" \ -c "found fragmented DTLS handshake message" \ -C "error" +# Test for automatic MTU reduction on repeated resend +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_ECDSA_C +run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ + -p "$P_PXY mtu=508" \ + "$P_SRV dtls=1 debug_level=2 auth_mode=required \ + crt_file=data_files/server7_int-ca.crt \ + key_file=data_files/server7.key\ + hs_timeout=100-400" \ + "$P_CLI dtls=1 debug_level=2 \ + crt_file=data_files/server8_int-ca2.crt \ + key_file=data_files/server8.key \ + hs_timeout=100-400" \ + 0 \ + -s "found fragmented DTLS handshake message" \ + -c "found fragmented DTLS handshake message" \ + -C "error" + # the proxy shouldn't drop or mess up anything, so we shouldn't need to resend +# OTOH the client might resend if the server is to slow to reset after sending +# a HelloVerifyRequest, so only check for no retransmission server-side not_with_valgrind # spurious resend due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C @@ -5160,7 +5181,26 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake" \ mtu=512" \ 0 \ -S "resend" \ - -C "resend" \ + -s "found fragmented DTLS handshake message" \ + -c "found fragmented DTLS handshake message" \ + -C "error" + +not_with_valgrind # spurious resend due to timeout +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_ECDSA_C +run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio" \ + -p "$P_PXY mtu=512" \ + "$P_SRV dtls=1 debug_level=2 auth_mode=required \ + crt_file=data_files/server7_int-ca.crt \ + key_file=data_files/server7.key \ + mtu=512 nbio=2" \ + "$P_CLI dtls=1 debug_level=2 \ + crt_file=data_files/server8_int-ca2.crt \ + key_file=data_files/server8.key \ + mtu=512 nbio=2" \ + 0 \ + -S "resend" \ -s "found fragmented DTLS handshake message" \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -5171,9 +5211,10 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake" \ # Since we don't support reading fragmented ClientHello yet, # up the MTU to 1450 (larger than ClientHello with session ticket, # but still smaller than client's Certificate to ensure fragmentation). -# # A resend on the client-side might happen if the server is # slow to reset, therefore omitting '-C "resend"' below. +# reco_delay avoids races where the client reconnects before the server has +# resumed listening, which would result in a spurious resend. not_with_valgrind # spurious resend due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C @@ -5187,7 +5228,7 @@ run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ - mtu=1450 reconnect=1" \ + mtu=1450 reconnect=1 reco_delay=1" \ 0 \ -S "resend" \ -s "found fragmented DTLS handshake message" \ @@ -5363,6 +5404,25 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \ -c "found fragmented DTLS handshake message" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_ECDSA_C +client_needs_more_time 2 +run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ + -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ + "$P_SRV dtls=1 debug_level=2 auth_mode=required \ + crt_file=data_files/server7_int-ca.crt \ + key_file=data_files/server7.key \ + hs_timeout=250-10000 mtu=512 nbio=2" \ + "$P_CLI dtls=1 debug_level=2 \ + crt_file=data_files/server8_int-ca2.crt \ + key_file=data_files/server8.key \ + hs_timeout=250-10000 mtu=512 nbio=2" \ + 0 \ + -s "found fragmented DTLS handshake message" \ + -c "found fragmented DTLS handshake message" \ + -C "error" + # interop tests for DTLS fragmentating with reliable connection # # here and below we just want to test that the we fragment in a way that @@ -5372,6 +5432,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_gnutls run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ "$G_SRV -u" \ "$P_CLI dtls=1 debug_level=2 \ @@ -5387,6 +5448,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 +requires_gnutls run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ "$G_SRV -u" \ "$P_CLI dtls=1 debug_level=2 \ @@ -5403,6 +5465,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_gnutls run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 server_addr=::1 \ crt_file=data_files/server7_int-ca.crt \ @@ -5418,6 +5481,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 +requires_gnutls run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 server_addr=::1 \ crt_file=data_files/server7_int-ca.crt \ @@ -5527,6 +5591,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ ## ## # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS ## requires_ipv6 +## requires_gnutls ## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS ## requires_config_enabled MBEDTLS_RSA_C ## requires_config_enabled MBEDTLS_ECDSA_C @@ -5544,6 +5609,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ ## ## # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS ## requires_ipv6 +## requires_gnutls ## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS ## requires_config_enabled MBEDTLS_RSA_C ## requires_config_enabled MBEDTLS_ECDSA_C