Skip to content

Commit

Permalink
DTLS 1.3: check size including headers
Browse files Browse the repository at this point in the history
  • Loading branch information
julek-wolfssl committed Aug 28, 2024
1 parent dcea21a commit b2f59f7
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 11 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/os-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ jobs:
'--enable-dtls --enable-dtls13 --enable-earlydata
--enable-session-ticket --enable-psk
CPPFLAGS=''-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME'' ',
'--enable-experimental --enable-kyber --enable-dtls --enable-dtls13
--enable-dtls-frag-ch',
]
name: make check
runs-on: ${{ matrix.os }}
Expand Down
7 changes: 6 additions & 1 deletion src/dtls.c
Original file line number Diff line number Diff line change
Expand Up @@ -953,8 +953,13 @@ int DoClientHelloStateless(WOLFSSL* ssl, const byte* input, word32 helloSz,
int tlsxFound;
ret = FindExtByType(&ch.cookieExt, TLSX_COOKIE, ch.extension,
&tlsxFound);
if (ret != 0)
if (ret != 0) {
if (isFirstCHFrag) {
WOLFSSL_MSG("\t\tCookie probably missing from first "
"fragment. Dropping.");
}
return ret;
}
}
}
#endif
Expand Down
23 changes: 13 additions & 10 deletions src/tls13.c
Original file line number Diff line number Diff line change
Expand Up @@ -4455,8 +4455,17 @@ int SendTls13ClientHello(WOLFSSL* ssl)
if (ret != 0)
return ret;

/* Total message size. */
args->sendSz =
(int)(args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ);

#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
#endif /* WOLFSSL_DTLS13 */

#ifdef WOLFSSL_DTLS_CH_FRAG
if (ssl->options.dtls && args->length > maxFrag &&
if (ssl->options.dtls && args->sendSz > maxFrag &&
TLSX_Find(ssl->extensions, TLSX_COOKIE) == NULL) {
/* Try again with an empty key share if we would be fragmenting
* without a cookie */
Expand All @@ -4467,7 +4476,9 @@ int SendTls13ClientHello(WOLFSSL* ssl)
ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
if (ret != 0)
return ret;
if (args->length > maxFrag) {
args->sendSz = (int)(args->length +
DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ);
if (args->sendSz > maxFrag) {
WOLFSSL_MSG("Can't fit first CH in one fragment.");
return BUFFER_ERROR;
}
Expand All @@ -4476,14 +4487,6 @@ int SendTls13ClientHello(WOLFSSL* ssl)
#endif
}

/* Total message size. */
args->sendSz = (int)(args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ);

#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
#endif /* WOLFSSL_DTLS13 */

/* Check buffers are big enough and grow if needed. */
if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0)
return ret;
Expand Down

0 comments on commit b2f59f7

Please sign in to comment.