eden-emu/mbedtls
17
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move MTU setting to SSL context, not config

Browse source 
This setting belongs to the individual connection, not to a configuration
shared by many connections. (If a default value is desired, that can be handled
by the application code that calls mbedtls_ssl_set_mtu().)

There are at least two ways in which this matters:
- per-connection settings can be adjusted if MTU estimates become available
  during the lifetime of the connection
- it is at least conceivable that a server might recognize restricted clients
  based on range of IPs and immediately set a lower MTU for them. This is much
easier to do with a per-connection setting than by maintaining multiple
near-duplicated ssl_config objects that differ only by the MTU setting.
This commit is contained in:
Manuel Pégourié-Gonnard 2018-08-20 10:37:23 +02:00
parent 38110dfc0e
commit 6e7aaca146
5 changed files with 63 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

74
include/mbedtls/ssl.h
View file

@ -958,10 +958,6 @@ struct mbedtls_ssl_config
unsigned int dhm_min_bitlen; /*!< min. bit length of the DHM prime */
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
uint16_t mtu; /*!< path mtu, used to fragment outoing messages */
#endif
unsigned char max_major_ver; /*!< max. major version used */
unsigned char max_minor_ver; /*!< max. minor version used */
unsigned char min_major_ver; /*!< min. major version used */
@ -1116,6 +1112,10 @@ struct mbedtls_ssl_context
size_t out_msglen; /*!< record header: message length */
size_t out_left; /*!< amount of data not yet written */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
uint16_t mtu; /*!< path mtu, used to fragment outoing messages */
#endif
#if defined(MBEDTLS_ZLIB_SUPPORT)
unsigned char *compress_buf; /*!< zlib data buffer */
#endif
@ -1378,6 +1378,39 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
mbedtls_ssl_recv_t *f_recv,
mbedtls_ssl_recv_timeout_t *f_recv_timeout );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
/**
* \brief Set the Maximum Tranport Unit (MTU).
* Special value: 0 means unset (no limit).
* This represents the maximum size of a datagram payload
* handled by the transport layer (usually UDP) as determined
* by the network link and stack. In practice, this controls
* the maximum size datagram the DTLS layer will pass to the
* \c f_send() callback set using \c mbedtls_ssl_set_bio().
*
* \note This can be called at any point during the connection, for
* example when a PMTU estimate becomes available from other
* sources, such as lower (or higher) protocol layers.
*
* \note This only controls the size of the packet we send.
* Client-side, you can request the server to use smaller
* records with \c mbedtls_conf_max_frag_len().
*
* \note If both a MTU and a maximum fragment length have been
* configured (or negotiated with the peer), the lower limit
* is used.
*
* \note Values larger than \c MBEDTLS_SSL_OUT_CONTENT_LEN have no
* effect. This can only be used to decrease the maximum size
* of datagrams sent. Values lower than record layer expansion
* are ignored.
*
* \param ssl SSL context
* \param mtu Value of the path MTU in bytes
*/
void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
/**
* \brief Set the timeout period for mbedtls_ssl_read()
* (Default: no timeout.)
@ -2427,35 +2460,6 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
char cert_req_ca_list );
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
/**
* \brief Set the Maximum Tranport Unit (MTU).
* Special value: 0 means unset (no limit).
* This represents the maximum size of a datagram payload
* handled by the transport layer (usually UDP) as determined
* by the network link and stack. In practice, this controls
* the maximum size datagram the DTLS layer will pass to the
* \c f_send() callback set using \c mbedtls_ssl_set_bio().
*
* \note This only controls the size of the packet we send.
* Client-side, you can request the server to use smaller
* records with \c mbedtls_conf_max_frag_len().
*
* \note If both a MTU and a maximum fragment length have been
* configured (or negotiated with the peer), the lower limit
* is used.
*
* \note Values larger than \c MBEDTLS_SSL_OUT_CONTENT_LEN have no
* effect. This can only be used to decrease the maximum size
* of datagrams sent. Values lower than record layer expansion
* are ignored.
*
* \param conf SSL configuration
* \param mtu Value of the path MTU in bytes
*/
void mbedtls_ssl_conf_mtu( mbedtls_ssl_config *conf, uint16_t mtu );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
/**
* \brief Set the maximum fragment length to emit and/or negotiate
@ -2476,7 +2480,7 @@ void mbedtls_ssl_conf_mtu( mbedtls_ssl_config *conf, uint16_t mtu );
*
* \note For DTLS, it is also possible to set a limit for the total
* size of daragrams passed to the transport layer, including
* record overhead, see \c mbedtls_ssl_conf_mtu().
* record overhead, see \c mbedtls_ssl_set_mtu().
*
* \param conf SSL configuration
* \param mfl_code Code for maximum fragment length (allowed values:
@ -2784,7 +2788,7 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
* \note This function is not available (always returns an error)
* when record compression is enabled.
*
* \sa mbedtls_ssl_conf_mtu()
* \sa mbedtls_ssl_set_mtu()
* \sa mbedtls_ssl_get_max_frag_len()
* \sa mbedtls_ssl_get_record_expansion()
*