1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <https://www.gnu.org/licenses/>
20 *
21 */
22
23 /* This file contains the code for the Max Record Size TLS extension.
24 */
25
26 #include "gnutls_int.h"
27 #include "errors.h"
28 #include "num.h"
29 #include <hello_ext.h>
30 #include <ext/max_record.h>
31
32 static int _gnutls_max_record_recv_params(gnutls_session_t session,
33 const uint8_t * data,
34 size_t data_size);
35 static int _gnutls_max_record_send_params(gnutls_session_t session,
36 gnutls_buffer_st * extdata);
37
38 /* Maps record size to numbers according to the
39 * extensions draft.
40 */
41 static int _gnutls_mre_num2record(int num);
42 static int _gnutls_mre_record2num(uint16_t record_size);
43
44
45 const hello_ext_entry_st ext_mod_max_record_size = {
46 .name = "Maximum Record Size",
47 .tls_id = 1,
48 .gid = GNUTLS_EXTENSION_MAX_RECORD_SIZE,
49 .client_parse_point = GNUTLS_EXT_TLS,
50 .server_parse_point = GNUTLS_EXT_TLS,
51 .validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
52 GNUTLS_EXT_FLAG_EE | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
53 .recv_func = _gnutls_max_record_recv_params,
54 .send_func = _gnutls_max_record_send_params
55 };
56
57 /*
58 * In case of a server: if a MAX_RECORD_SIZE extension type is received then it stores
59 * into the session the new value. The server may use gnutls_get_max_record_size(),
60 * in order to access it.
61 *
62 * In case of a client: If a different max record size (than the default) has
63 * been specified then it sends the extension.
64 *
65 */
66
67 static int
_gnutls_max_record_recv_params(gnutls_session_t session,const uint8_t * data,size_t data_size)68 _gnutls_max_record_recv_params(gnutls_session_t session,
69 const uint8_t * data, size_t data_size)
70 {
71 ssize_t new_size;
72
73 if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED)
74 return 0;
75
76 if (session->security_parameters.entity == GNUTLS_SERVER) {
77 if (data_size > 0) {
78 DECR_LEN(data_size, 1);
79
80 new_size = _gnutls_mre_num2record(data[0]);
81
82 if (new_size < 0) {
83 gnutls_assert();
84 return new_size;
85 }
86
87 session->security_parameters.max_record_send_size =
88 new_size;
89 session->security_parameters.max_record_recv_size =
90 new_size;
91 }
92 } else { /* CLIENT SIDE - we must check if the sent record size is the right one
93 */
94 if (data_size > 0) {
95 if (data_size != 1) {
96 gnutls_assert();
97 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
98 }
99
100 new_size = _gnutls_mre_num2record(data[0]);
101
102 if (new_size < 0) {
103 gnutls_assert();
104 return new_size;
105 }
106
107 if (new_size != session->security_parameters.
108 max_user_record_send_size) {
109 gnutls_assert();
110 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
111 } else {
112 session->security_parameters.
113 max_record_send_size = new_size;
114 session->security_parameters.
115 max_record_recv_size = new_size;
116 }
117
118 }
119
120
121 }
122
123 return 0;
124 }
125
126 /* returns data_size or a negative number on failure
127 */
128 static int
_gnutls_max_record_send_params(gnutls_session_t session,gnutls_buffer_st * extdata)129 _gnutls_max_record_send_params(gnutls_session_t session,
130 gnutls_buffer_st * extdata)
131 {
132 uint8_t p;
133 int ret;
134
135 /* this function sends the client extension data (dnsname) */
136 if (session->security_parameters.entity == GNUTLS_CLIENT) {
137 /* if the user limits for sending and receiving are
138 * different, that means the programmer had chosen to
139 * use record_size_limit instead */
140 if (session->security_parameters.max_user_record_send_size !=
141 session->security_parameters.max_user_record_recv_size)
142 return 0;
143
144 if (session->security_parameters.max_user_record_send_size !=
145 DEFAULT_MAX_RECORD_SIZE) {
146 ret = _gnutls_mre_record2num
147 (session->security_parameters.
148 max_user_record_send_size);
149
150 /* it's not an error, as long as we send the
151 * record_size_limit extension with that value */
152 if (ret < 0)
153 return 0;
154
155 p = (uint8_t) ret;
156 ret = _gnutls_buffer_append_data(extdata, &p, 1);
157 if (ret < 0)
158 return gnutls_assert_val(ret);
159
160 return 1;
161 }
162
163 } else { /* server side */
164
165 if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_SENT)
166 return 0;
167
168 if (session->security_parameters.max_record_recv_size !=
169 DEFAULT_MAX_RECORD_SIZE) {
170 ret = _gnutls_mre_record2num
171 (session->security_parameters.
172 max_record_recv_size);
173 if (ret < 0)
174 return gnutls_assert_val(ret);
175
176 p = (uint8_t) ret;
177 ret = _gnutls_buffer_append_data(extdata, &p, 1);
178 if (ret < 0)
179 return gnutls_assert_val(ret);
180
181 return 1;
182 }
183 }
184
185 return 0;
186 }
187
188
189 /* Maps numbers to record sizes according to the
190 * extensions draft.
191 */
_gnutls_mre_num2record(int num)192 static int _gnutls_mre_num2record(int num)
193 {
194 switch (num) {
195 case 1:
196 return 512;
197 case 2:
198 return 1024;
199 case 3:
200 return 2048;
201 case 4:
202 return 4096;
203 default:
204 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
205 }
206 }
207
208 /* Maps record size to numbers according to the
209 * extensions draft.
210 */
_gnutls_mre_record2num(uint16_t record_size)211 static int _gnutls_mre_record2num(uint16_t record_size)
212 {
213 switch (record_size) {
214 case 512:
215 return 1;
216 case 1024:
217 return 2;
218 case 2048:
219 return 3;
220 case 4096:
221 return 4;
222 default:
223 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
224 }
225
226 }
227
228 /**
229 * gnutls_record_get_max_size:
230 * @session: is a #gnutls_session_t type.
231 *
232 * Get the record size. The maximum record size is negotiated by the
233 * client after the first handshake message.
234 *
235 * Returns: The maximum record packet size in this connection.
236 **/
gnutls_record_get_max_size(gnutls_session_t session)237 size_t gnutls_record_get_max_size(gnutls_session_t session)
238 {
239 /* Recv will hold the negotiated max record size
240 * always.
241 */
242 return session->security_parameters.max_record_recv_size;
243 }
244
245
246 /**
247 * gnutls_record_set_max_size:
248 * @session: is a #gnutls_session_t type.
249 * @size: is the new size
250 *
251 * This function sets the maximum amount of plaintext sent and
252 * received in a record in this connection.
253 *
254 * Prior to 3.6.4, this function was implemented using a TLS extension
255 * called 'max fragment length', which limits the acceptable values to
256 * 512(=2^9), 1024(=2^10), 2048(=2^11) and 4096(=2^12).
257 *
258 * Since 3.6.4, the limit is also negotiated through a new TLS
259 * extension called 'record size limit', which doesn't have the
260 * limitation, as long as the value ranges between 512 and 16384.
261 * Note that while the 'record size limit' extension is preferred, not
262 * all TLS implementations use or even understand the extension.
263 *
264 * Deprecated: if the client can assume that the 'record size limit'
265 * extension is supported by the server, we recommend using
266 * gnutls_record_set_max_recv_size() instead.
267 *
268 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
269 * otherwise a negative error code is returned.
270 **/
gnutls_record_set_max_size(gnutls_session_t session,size_t size)271 ssize_t gnutls_record_set_max_size(gnutls_session_t session, size_t size)
272 {
273 if (size < MIN_RECORD_SIZE || size > DEFAULT_MAX_RECORD_SIZE)
274 return GNUTLS_E_INVALID_REQUEST;
275
276 if (session->internals.handshake_in_progress)
277 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
278
279 session->security_parameters.max_user_record_send_size = size;
280 session->security_parameters.max_user_record_recv_size = size;
281
282 return 0;
283 }
284
285 /**
286 * gnutls_record_set_max_recv_size:
287 * @session: is a #gnutls_session_t type.
288 * @size: is the new size
289 *
290 * This function sets the maximum amount of plaintext received in a
291 * record in this connection.
292 *
293 * The limit is also negotiated through a TLS extension called 'record
294 * size limit'. Note that while the 'record size limit' extension is
295 * preferred, not all TLS implementations use or even understand the
296 * extension.
297 *
298 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
299 * otherwise a negative error code is returned.
300 *
301 * Since: 3.6.8
302 **/
gnutls_record_set_max_recv_size(gnutls_session_t session,size_t size)303 ssize_t gnutls_record_set_max_recv_size(gnutls_session_t session, size_t size)
304 {
305 if (size <
306 (session->internals.allow_small_records ?
307 MIN_RECORD_SIZE_SMALL : MIN_RECORD_SIZE) ||
308 size > DEFAULT_MAX_RECORD_SIZE)
309 return GNUTLS_E_INVALID_REQUEST;
310
311 if (session->internals.handshake_in_progress)
312 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
313
314 session->security_parameters.max_user_record_recv_size = size;
315
316 return 0;
317 }
318