WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

DTLS 1.3: check size including headers

pull/7912/head
Juliusz Sosinowicz 2024-08-28 12:58:50 +02:00
parent dcea21a9a5
commit b2f59f733a
3 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/os-check.yml vendored
View File

@ -33,6 +33,8 @@ jobs:
'--enable-dtls --enable-dtls13 --enable-earlydata '--enable-dtls --enable-dtls13 --enable-earlydata
--enable-session-ticket --enable-psk --enable-session-ticket --enable-psk
CPPFLAGS=''-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME'' ', CPPFLAGS=''-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME'' ',
'--enable-experimental --enable-kyber --enable-dtls --enable-dtls13
--enable-dtls-frag-ch',
] ]
name: make check name: make check
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}

7
src/dtls.c
View File

@ -953,10 +953,15 @@ int DoClientHelloStateless(WOLFSSL* ssl, const byte* input, word32 helloSz,
int tlsxFound; int tlsxFound;
ret = FindExtByType(&ch.cookieExt, TLSX_COOKIE, ch.extension, ret = FindExtByType(&ch.cookieExt, TLSX_COOKIE, ch.extension,
&tlsxFound); &tlsxFound);
if (ret != 0) if (ret != 0) {
if (isFirstCHFrag) {
WOLFSSL_MSG("\t\tCookie probably missing from first "
"fragment. Dropping.");
}
return ret; return ret;
} }
} }
}
#endif #endif
ret = ClientHelloSanityCheck(&ch, isTls13); ret = ClientHelloSanityCheck(&ch, isTls13);

23
src/tls13.c
View File

@ -4455,8 +4455,17 @@ int SendTls13ClientHello(WOLFSSL* ssl)
if (ret != 0) if (ret != 0)
return ret; return ret;
/* Total message size. */
args->sendSz =
(int)(args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ);
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
#endif /* WOLFSSL_DTLS13 */
#ifdef WOLFSSL_DTLS_CH_FRAG #ifdef WOLFSSL_DTLS_CH_FRAG
if (ssl->options.dtls && args->length > maxFrag && if (ssl->options.dtls && args->sendSz > maxFrag &&
TLSX_Find(ssl->extensions, TLSX_COOKIE) == NULL) { TLSX_Find(ssl->extensions, TLSX_COOKIE) == NULL) {
/* Try again with an empty key share if we would be fragmenting /* Try again with an empty key share if we would be fragmenting
* without a cookie */ * without a cookie */
@ -4467,7 +4476,9 @@ int SendTls13ClientHello(WOLFSSL* ssl)
ret = TLSX_GetRequestSize(ssl, client_hello, &args->length); ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
if (ret != 0) if (ret != 0)
return ret; return ret;
if (args->length > maxFrag) { args->sendSz = (int)(args->length +
DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ);
if (args->sendSz > maxFrag) {
WOLFSSL_MSG("Can't fit first CH in one fragment."); WOLFSSL_MSG("Can't fit first CH in one fragment.");
return BUFFER_ERROR; return BUFFER_ERROR;
} }
@ -4476,14 +4487,6 @@ int SendTls13ClientHello(WOLFSSL* ssl)
#endif #endif
} }
/* Total message size. */
args->sendSz = (int)(args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ);
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
#endif /* WOLFSSL_DTLS13 */
/* Check buffers are big enough and grow if needed. */ /* Check buffers are big enough and grow if needed. */
if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0)
return ret; return ret;