PR: 2006

Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Approved by: steve@openssl.org Do not use multiple DTLS records for a single user message
2009-08-26 11:51:23 +00:00 · 2009-08-26 11:51:23 +00:00 · 17f8d8db61
commit 17f8d8db61
parent 38437fa135
3 changed files with 10 additions and 59 deletions
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@ -1257,7 +1257,6 @@ err:
 int
 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
 	{
 	unsigned int n,tot;
 	int i;
 	if (SSL_in_init(s) && !s->in_handshake)
@ -1271,31 +1270,14 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
 			}
 		}
-	tot = s->s3->wnum;
+	if (len > SSL3_RT_MAX_PLAIN_LENGTH)
 	n = len - tot;
 	while( n)
 		{
-		/* dtls1_write_bytes sends one record at a time, sized according to 
+			SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG);
-		 * the currently known MTU */
+			return -1;
 		i = dtls1_write_bytes(s, type, buf_, len);
 		if (i <= 0) return i;
 		if ((i == (int)n) ||
 			(type == SSL3_RT_APPLICATION_DATA &&
 				(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
 			{
 			/* next chunk of data should get another prepended empty fragment
 			 * in ciphersuites with known-IV weakness: */
 			s->s3->empty_fragment_done = 0;
 			return tot+i;
 			}
 		tot += i;
 		n-=i;
 		}
-	return tot;
+	i = dtls1_write_bytes(s, type, buf_, len);
 	return i;
 	}
@ -1336,46 +1318,13 @@ have_handshake_fragment(SSL *s, int type, unsigned char *buf,
 /* Call this to write data in records of type 'type'
 * It will return <= 0 if not all data has been sent or non-blocking IO.
 */
-int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
+int dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
 	{
 	const unsigned char *buf=buf_;
 	unsigned int tot,n,nw;
 	int i;
 	unsigned int mtu;
 	OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
 	s->rwstate=SSL_NOTHING;
-	tot=s->s3->wnum;
+	i=do_dtls1_write(s, type, buf, len, 0);
 	n=(len-tot);
 	/* handshake layer figures out MTU for itself, but data records
 	 * are also sent through this interface, so need to figure out MTU */
 #if 0
 	mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
 	mtu += DTLS1_HM_HEADER_LENGTH;  /* HM already inserted */
 #endif
 	mtu = s->d1->mtu;
 	if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
 		mtu = SSL3_RT_MAX_PLAIN_LENGTH;
 	if (n > mtu)
 		nw=mtu;
 	else
 		nw=n;
 	i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
 	if (i <= 0)
 		{
 		s->s3->wnum=tot;
 		return i;
 		}
 	if ( (int)s->s3->wnum + i == len)
 		s->s3->wnum = 0;
 	else 
 		s->s3->wnum += i;
 	return i;
 	}
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@ -2211,6 +2211,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE		 1111
 #define SSL_R_TLSV1_UNRECOGNIZED_NAME			 1112
 #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION		 1110
 #define SSL_R_DTLS_MESSAGE_TOO_BIG			 1200
 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER	 232
 #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST		 157
 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@ -490,6 +490,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"},
 {ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
 {ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
 {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG),"dtls message too big"},
 {ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
 {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
 {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},