patch: Add option enable record_size_limit (#21)
This commit is contained in:
0x676e67
GitHub
parent
6ef0ca379e
commit
39914a641c
|
|
@ -4176,7 +4176,7 @@ index 4dd8841b1..23ffcd446 100644
|
|||
#if defined(__cplusplus)
|
||||
} /* extern C */
|
||||
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
|
||||
index 53aa9b453..765db2b10 100644
|
||||
index 53aa9b453..9f16b7f6c 100644
|
||||
--- a/src/include/openssl/ssl.h
|
||||
+++ b/src/include/openssl/ssl.h
|
||||
@@ -2378,6 +2378,13 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
|
||||
|
|
@ -4193,6 +4193,21 @@ index 53aa9b453..765db2b10 100644
|
|||
|
||||
// SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
|
||||
// completed handshake or 0 if not applicable.
|
||||
@@ -4570,6 +4577,14 @@ OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
|
||||
// permute extensions. For now, this is only implemented for the ClientHello.
|
||||
OPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled);
|
||||
|
||||
+// SSL_set_record_size_limit configures whether sockets on |ssl| should
|
||||
+// send record size limit extension.
|
||||
+OPENSSL_EXPORT void SSL_set_record_size_limit(SSL *ssl, uint16_t limit);
|
||||
+
|
||||
+// SSL_CTX_set_record_size_limit configures whether sockets on |ctx| should
|
||||
+// send record size limit extension.
|
||||
+OPENSSL_EXPORT void SSL_CTX_set_record_size_limit(SSL_CTX *ctx, uint16_t limit);
|
||||
+
|
||||
// SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
|
||||
// record with |ssl|.
|
||||
OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
|
||||
diff --git a/src/include/openssl/tls1.h b/src/include/openssl/tls1.h
|
||||
index 772fb87a3..4cb6b5667 100644
|
||||
--- a/src/include/openssl/tls1.h
|
||||
|
|
@ -4220,7 +4235,7 @@ index 5c7e881bf..3c0770cf3 100644
|
|||
crypto/pkcs8/test/no_encryption.p12
|
||||
crypto/pkcs8/test/nss.p12
|
||||
diff --git a/src/ssl/extensions.cc b/src/ssl/extensions.cc
|
||||
index 5ee280221..feb0606cf 100644
|
||||
index 5ee280221..7d25f1023 100644
|
||||
--- a/src/ssl/extensions.cc
|
||||
+++ b/src/ssl/extensions.cc
|
||||
@@ -207,6 +207,10 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
|
||||
|
|
@ -4263,15 +4278,19 @@ index 5ee280221..feb0606cf 100644
|
|||
static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
|
||||
uint8_t *out_alert,
|
||||
CBS *contents) {
|
||||
@@ -3094,6 +3117,35 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
||||
@@ -3094,6 +3117,39 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
||||
return true;
|
||||
}
|
||||
|
||||
+static bool record_size_limit_add_clienthello(const SSL_HANDSHAKE* hs, CBB* out,
|
||||
+ CBB* out_compressible,
|
||||
+ ssl_client_hello_type_t type) {
|
||||
+ if (hs->config->record_size_limit == 0) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ CBB data;
|
||||
+ const uint16_t data_ = 0x4001;
|
||||
+ const uint16_t data_ = hs->config->record_size_limit;
|
||||
+ if (!CBB_add_u16(out, TLSEXT_TYPE_record_size_limit) ||
|
||||
+ !CBB_add_u16_length_prefixed(out, &data) || !CBB_add_u16(&data, data_) ||
|
||||
+ !CBB_flush(out)) {
|
||||
|
|
@ -4299,7 +4318,7 @@ index 5ee280221..feb0606cf 100644
|
|||
// kExtensions contains all the supported extensions.
|
||||
static const struct tls_extension kExtensions[] = {
|
||||
{
|
||||
@@ -3267,6 +3319,13 @@ static const struct tls_extension kExtensions[] = {
|
||||
@@ -3267,6 +3323,13 @@ static const struct tls_extension kExtensions[] = {
|
||||
ignore_parse_clienthello,
|
||||
ext_alps_add_serverhello,
|
||||
},
|
||||
|
|
@ -4390,7 +4409,7 @@ index 971ebd0b1..e70e6c868 100644
|
|||
if (hs->min_version < TLS1_3_VERSION && type != ssl_client_hello_inner) {
|
||||
bool any_enabled = false;
|
||||
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
|
||||
index 1e6da2153..045106263 100644
|
||||
index 1e6da2153..fcb586101 100644
|
||||
--- a/src/ssl/internal.h
|
||||
+++ b/src/ssl/internal.h
|
||||
@@ -554,8 +554,13 @@ BSSL_NAMESPACE_BEGIN
|
||||
|
|
@ -4408,6 +4427,26 @@ index 1e6da2153..045106263 100644
|
|||
|
||||
// Bits for |algorithm_prf| (handshake digest).
|
||||
#define SSL_HANDSHAKE_MAC_DEFAULT 0x1
|
||||
@@ -3128,6 +3133,9 @@ struct SSL_CONFIG {
|
||||
// of support for AES hw. The value is only considered if |aes_hw_override| is
|
||||
// true.
|
||||
bool aes_hw_override_value : 1;
|
||||
+
|
||||
+ // record_size_limit is whether to send record size limit extension.
|
||||
+ uint16_t record_size_limit = 0;
|
||||
};
|
||||
|
||||
// From RFC 8446, used in determining PSK modes.
|
||||
@@ -3748,6 +3756,9 @@ struct ssl_ctx_st {
|
||||
// |aes_hw_override| is true.
|
||||
bool aes_hw_override_value : 1;
|
||||
|
||||
+ // record_size_limit is whether to send record size limit extension.
|
||||
+ uint16_t record_size_limit = 0;
|
||||
+
|
||||
private:
|
||||
~ssl_ctx_st();
|
||||
friend OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *);
|
||||
diff --git a/src/ssl/ssl_cipher.cc b/src/ssl/ssl_cipher.cc
|
||||
index ebb075351..17fcaa13c 100644
|
||||
--- a/src/ssl/ssl_cipher.cc
|
||||
|
|
@ -5262,10 +5301,36 @@ index 09a9ad380..a972e8dd1 100644
|
|||
return nullptr;
|
||||
}
|
||||
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
|
||||
index 838761af5..9eb201d37 100644
|
||||
index 838761af5..e6304495b 100644
|
||||
--- a/src/ssl/ssl_lib.cc
|
||||
+++ b/src/ssl/ssl_lib.cc
|
||||
@@ -3151,7 +3151,7 @@ namespace fips202205 {
|
||||
@@ -684,6 +684,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
|
||||
ssl->config->signed_cert_timestamps_enabled =
|
||||
ctx->signed_cert_timestamps_enabled;
|
||||
ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;
|
||||
+ ssl->config->record_size_limit = ctx->record_size_limit;
|
||||
ssl->config->handoff = ctx->handoff;
|
||||
ssl->quic_method = ctx->quic_method;
|
||||
|
||||
@@ -2134,6 +2135,17 @@ void SSL_enable_ocsp_stapling(SSL *ssl) {
|
||||
ssl->config->ocsp_stapling_enabled = true;
|
||||
}
|
||||
|
||||
+void SSL_set_record_size_limit(SSL *ssl, uint16_t limit) {
|
||||
+ if (!ssl->config) {
|
||||
+ return;
|
||||
+ }
|
||||
+ ssl->config->record_size_limit = limit;
|
||||
+}
|
||||
+
|
||||
+void SSL_CTX_set_record_size_limit(SSL_CTX *ctx, uint16_t limit) {
|
||||
+ ctx->record_size_limit = limit;
|
||||
+}
|
||||
+
|
||||
void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
|
||||
size_t *out_len) {
|
||||
SSL_SESSION *session = SSL_get_session(ssl);
|
||||
@@ -3151,7 +3163,7 @@ namespace fips202205 {
|
||||
// Section 3.3.1
|
||||
// "The server shall be configured to only use cipher suites that are
|
||||
// composed entirely of NIST approved algorithms"
|
||||
|
|
|
|||
|
|
@ -1865,6 +1865,12 @@ impl SslContextBuilder {
|
|||
unsafe { ffi::SSL_CTX_set_grease_enabled(self.as_ptr(), enabled as _) }
|
||||
}
|
||||
|
||||
/// Sets whether the context should enable record size limit.
|
||||
#[corresponds(SSL_CTX_set_record_size_limit)]
|
||||
pub fn set_record_size_limit(&mut self, limit: u16) {
|
||||
unsafe { ffi::SSL_CTX_set_record_size_limit(self.as_ptr(), limit as _) }
|
||||
}
|
||||
|
||||
/// Configures whether ClientHello extensions should be permuted.
|
||||
///
|
||||
/// Note: This is gated to non-fips because the fips feature builds with a separate
|
||||
|
|
|
|||
Loading…
Reference in New Issue