PR: 2006

Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Do not use multiple DTLS records for a single user message

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 0664636b521a3ccf810a952abccb1faf18a88f18..355d5ed9cdcbeedc59bbe83855cb02a77cbccecf 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -1257,7 +1257,6 @@ err:
 int
 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
        {
 int
 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
        {

-       unsigned int n,tot;

        int i;
 
        if (SSL_in_init(s) && !s->in_handshake)
        int i;
 
        if (SSL_in_init(s) && !s->in_handshake)


@@ -1271,31 +1270,14 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
                        }
                }
 
                        }
                }
 

-       tot = s->s3->wnum;
-       n = len - tot;
-
-       while( n)
+       if (len > SSL3_RT_MAX_PLAIN_LENGTH)

                {
                {

-               /* dtls1_write_bytes sends one record at a time, sized according to 
-                * the currently known MTU */
-               i = dtls1_write_bytes(s, type, buf_, len);
-               if (i <= 0) return i;
-               
-               if ((i == (int)n) ||
-                       (type == SSL3_RT_APPLICATION_DATA &&
-                               (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
-                       {
-                       /* next chunk of data should get another prepended empty fragment
-                        * in ciphersuites with known-IV weakness: */
-                       s->s3->empty_fragment_done = 0;
-                       return tot+i;
-                       }
-
-               tot += i;
-               n-=i;
+                       SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG);
+                       return -1;

                }
 
                }
 

-       return tot;
+       i = dtls1_write_bytes(s, type, buf_, len);
+       return i;

        }
 
 
        }
 
 


@@ -1336,46 +1318,13 @@ have_handshake_fragment(SSL *s, int type, unsigned char *buf,
 /* Call this to write data in records of type 'type'
  * It will return <= 0 if not all data has been sent or non-blocking IO.
  */
 /* Call this to write data in records of type 'type'
  * It will return <= 0 if not all data has been sent or non-blocking IO.
  */

-int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
+int dtls1_write_bytes(SSL *s, int type, const void *buf, int len)

        {
        {

-       const unsigned char *buf=buf_;
-       unsigned int tot,n,nw;

        int i;
        int i;

-       unsigned int mtu;

 
 

+       OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);

        s->rwstate=SSL_NOTHING;
        s->rwstate=SSL_NOTHING;

-       tot=s->s3->wnum;
-
-       n=(len-tot);
-
-       /* handshake layer figures out MTU for itself, but data records
-        * are also sent through this interface, so need to figure out MTU */
-#if 0
-       mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
-       mtu += DTLS1_HM_HEADER_LENGTH;  /* HM already inserted */
-#endif
-       mtu = s->d1->mtu;
-
-       if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
-               mtu = SSL3_RT_MAX_PLAIN_LENGTH;
-
-       if (n > mtu)
-               nw=mtu;
-       else
-               nw=n;
-       
-       i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
-       if (i <= 0)
-               {
-               s->s3->wnum=tot;
-               return i;
-               }
-
-       if ( (int)s->s3->wnum + i == len)
-               s->s3->wnum = 0;
-       else 
-               s->s3->wnum += i;
-
+       i=do_dtls1_write(s, type, buf, len, 0);

        return i;
        }
 
        return i;
        }
 

diff --git a/ssl/ssl.h b/ssl/ssl.h
index fd7226298e512b81169b23b5d3dddfc3c41c2fc0..2c760b34ebf9e62a65ba579a9908a97e782bafd9 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2211,6 +2211,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE            1111
 #define SSL_R_TLSV1_UNRECOGNIZED_NAME                   1112
 #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION               1110
 #define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE            1111
 #define SSL_R_TLSV1_UNRECOGNIZED_NAME                   1112
 #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION               1110

+#define SSL_R_DTLS_MESSAGE_TOO_BIG                      1200

 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      232
 #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST            157
 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      232
 #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST            157
 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index e647e107d18dd55f4176c195e3d78b81e89dd675..9d43453ddf284cfb755ad0c3f35e0ded193aa777 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -490,6 +490,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"},
 {ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
 {ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
 {ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"},
 {ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
 {ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},

+{ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG),"dtls message too big"},

 {ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
 {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
 {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
 {ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
 {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
 {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},