diff --git a/doc/dox_comments/header_files/ssl.h b/doc/dox_comments/header_files/ssl.h index 8f37dfda5..72312307c 100644 --- a/doc/dox_comments/header_files/ssl.h +++ b/doc/dox_comments/header_files/ssl.h @@ -10259,9 +10259,11 @@ WOLFSSL_API int wolfSSL_UseMaxFragment(WOLFSSL* ssl, unsigned char mfl); \param ctx pointer to a SSL context, created with wolfSSL_CTX_new(). \param mfl indicates which is the Maximum Fragment Length requested for the session. The available options are: - enum { WOLFSSL_MFL_2_9 = 1, 512 bytes WOLFSSL_MFL_2_10 = 2, - 1024 bytes WOLFSSL_MFL_2_11 = 3, 2048 bytes WOLFSSL_MFL_2_12 = 4, - 4096 bytes WOLFSSL_MFL_2_13 = 5, 8192 bytes wolfSSL ONLY!!! }; + enum { WOLFSSL_MFL_2_9 = 1 512 bytes, WOLFSSL_MFL_2_10 = 2 1024 bytes, + WOLFSSL_MFL_2_11 = 3 2048 bytes WOLFSSL_MFL_2_12 = 4 4096 bytes, + WOLFSSL_MFL_2_13 = 5 8192 bytes wolfSSL ONLY!!!, + WOLFSSL_MFL_2_13 = 6 256 bytes wolfSSL ONLY!!! + }; _Example_ \code diff --git a/examples/client/client.c b/examples/client/client.c index b9f692363..ef878e6a4 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -858,7 +858,7 @@ static void Usage(void) printf("-S Use Host Name Indication\n"); #endif #ifdef HAVE_MAX_FRAGMENT - printf("-F Use Maximum Fragment Length [1-5]\n"); + printf("-F Use Maximum Fragment Length [0-6]\n"); #endif #ifdef HAVE_TRUNCATED_HMAC printf("-T Use Truncated HMAC\n"); @@ -1341,8 +1341,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) case 'F' : #ifdef HAVE_MAX_FRAGMENT maxFragment = atoi(myoptarg); - if (maxFragment < WOLFSSL_MFL_2_9 || - maxFragment > WOLFSSL_MFL_2_13) { + if (maxFragment < WOLFSSL_MFL_MIN || + maxFragment > WOLFSSL_MFL_MAX) { Usage(); XEXIT_T(MY_EX_USAGE); } diff --git a/src/tls.c b/src/tls.c index fdda2bba3..8e1f4473b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2535,6 +2535,7 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length, #endif switch (*input) { + case WOLFSSL_MFL_2_8 : ssl->max_fragment = 256; break; case WOLFSSL_MFL_2_9 : ssl->max_fragment = 512; break; case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break; case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break; @@ -2566,7 +2567,7 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap) byte* data = NULL; int ret = 0; - if (extensions == NULL || mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl) + if (extensions == NULL || mfl < WOLFSSL_MFL_MIN || mfl > WOLFSSL_MFL_MAX) return BAD_FUNC_ARG; data = (byte*)XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX); diff --git a/tests/api.c b/tests/api.c index 4d13402a1..8f3c12248 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2869,17 +2869,19 @@ static void test_wolfSSL_UseMaxFragment(void) /* error cases */ AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(NULL, WOLFSSL_MFL_2_9)); AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment( NULL, WOLFSSL_MFL_2_9)); - AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, 0)); - AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, 6)); - AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, 0)); - AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, 6)); + AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_MIN-1)); + AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_MAX+1)); + AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, WOLFSSL_MFL_MIN-1)); + AssertIntNE(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment(ssl, WOLFSSL_MFL_MAX+1)); /* success case */ + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_8)); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_9)); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_10)); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_11)); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_12)); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_13)); + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_8)); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_9)); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_10)); AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_UseMaxFragment( ssl, WOLFSSL_MFL_2_11)); diff --git a/tests/include.am b/tests/include.am index 9c7aa09ca..2b6baf558 100644 --- a/tests/include.am +++ b/tests/include.am @@ -32,5 +32,7 @@ EXTRA_DIST += tests/test.conf \ tests/test-sig.conf \ tests/test-ed25519.conf \ tests/test-enckeys.conf \ + tests/test-maxfrag.conf \ + tests/test-maxfrag-dtls.conf \ tests/test-fails.conf DISTCLEANFILES+= tests/.libs/unit.test diff --git a/tests/suites.c b/tests/suites.c index cc12d5d24..e4dd93a0d 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -783,6 +783,29 @@ int SuiteTest(void) } #endif +#ifdef HAVE_MAX_FRAGMENT + /* Max fragment cipher suite tests */ + strcpy(argv0[1], "tests/test-maxfrag.conf"); + printf("starting max fragment cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } + + #ifdef WOLFSSL_DTLS + strcpy(argv0[1], "tests/test-maxfrag-dtls.conf"); + printf("starting dtls max fragment cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } + #endif +#endif + /* failure tests */ args.argc = 3; strcpy(argv0[1], "tests/test-fails.conf"); diff --git a/tests/test-maxfrag-dtls.conf b/tests/test-maxfrag-dtls.conf new file mode 100644 index 000000000..67aef1776 --- /dev/null +++ b/tests/test-maxfrag-dtls.conf @@ -0,0 +1,215 @@ +# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 1 + +# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 1 + +# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 1 + +# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 2 + +# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 2 + +# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 2 + +# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 3 + +# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 3 + +# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 3 + +# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 4 + +# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 4 + +# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 4 + +# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 5 + +# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 5 + +# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 5 + +# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 6 + +# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 6 + +# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 6 diff --git a/tests/test-maxfrag.conf b/tests/test-maxfrag.conf new file mode 100644 index 000000000..2ca6cc8dd --- /dev/null +++ b/tests/test-maxfrag.conf @@ -0,0 +1,179 @@ +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 1 + +# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 1 + +# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 1 + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 2 + +# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 2 + +# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 2 + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 3 + +# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 3 + +# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 3 + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 4 + +# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 4 + +# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 4 + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 5 + +# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 5 + +# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 5 + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/ca-ecc-cert.pem +-F 6 + +# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 +-F 6 + +# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-F 6 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index e925dffea..d1deb8722 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2275,7 +2275,10 @@ enum { WOLFSSL_MFL_2_10 = 2, /* 1024 bytes */ WOLFSSL_MFL_2_11 = 3, /* 2048 bytes */ WOLFSSL_MFL_2_12 = 4, /* 4096 bytes */ - WOLFSSL_MFL_2_13 = 5 /* 8192 bytes *//* wolfSSL ONLY!!! */ + WOLFSSL_MFL_2_13 = 5, /* 8192 bytes *//* wolfSSL ONLY!!! */ + WOLFSSL_MFL_2_8 = 6, /* 256 bytes *//* wolfSSL ONLY!!! */ + WOLFSSL_MFL_MIN = WOLFSSL_MFL_2_9, + WOLFSSL_MFL_MAX = WOLFSSL_MFL_2_8, }; #ifndef NO_WOLFSSL_CLIENT @@ -2284,7 +2287,7 @@ WOLFSSL_API int wolfSSL_UseMaxFragment(WOLFSSL* ssl, unsigned char mfl); WOLFSSL_API int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, unsigned char mfl); #endif -#endif +#endif /* HAVE_MAX_FRAGMENT */ /* Truncated HMAC */ #ifdef HAVE_TRUNCATED_HMAC