Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a 'max_send_frag' option to configure maximum size of send fragments #3141

Closed
wants to merge 3 commits into from
Closed

Add a 'max_send_frag' option to configure maximum size of send fragments #3141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9ce3da3
Add a 'max_send_frag' option to configure maximum size of send fragments
FdaSilvaYY Apr 6, 2017
c9daaa3
Output prog name within error message
FdaSilvaYY Apr 7, 2017
b9593a3
Add checks on return code when applying some settings.
FdaSilvaYY Apr 7, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
61 changes: 31 additions & 30 deletions apps/s_client.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -540,13 +540,12 @@ typedef enum OPTION_choice {
OPT_SSL3, OPT_SSL_CONFIG,
OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH,
OPT_VERIFYCAPATH,
OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE,
OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME,
OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME, OPT_ASYNC,
OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST,
OPT_ASYNC, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
OPT_V_ENUM,
OPT_X_ENUM,
Expand Down Expand Up @@ -665,11 +664,12 @@ const OPTIONS s_client_options[] = {
"Enable ALPN extension, considering named protocols supported (comma-separated list)"},
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
"Size used to split data for encrypt pipelines"},
{"max_pipelines", OPT_MAX_PIPELINES, 'n',
{"max_pipelines", OPT_MAX_PIPELINES, 'p',
"Maximum number of encrypt/decrypt pipelines to be used"},
{"read_buf", OPT_READ_BUF, 'n',
{"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
Expand Down Expand Up @@ -895,8 +895,8 @@ int s_client_main(int argc, char **argv)
#endif
int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
int async = 0;
unsigned int split_send_fragment = 0;
unsigned int max_pipelines = 0;
unsigned int max_send_fragment = 0;
unsigned int split_send_fragment = 0, max_pipelines = 0;
enum { use_inet, use_unix, use_unknown } connect_type = use_unknown;
int count4or6 = 0;
int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0;
Expand Down Expand Up @@ -1377,15 +1377,11 @@ int s_client_main(int argc, char **argv)
case OPT_ASYNC:
async = 1;
break;
case OPT_MAX_SEND_FRAG:
max_send_fragment = atoi(opt_arg());
break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
if (split_send_fragment == 0) {
/*
* Not allowed - set to a deliberately bad value so we get an
* error message below
*/
split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
}
break;
case OPT_MAX_PIPELINES:
max_pipelines = atoi(opt_arg());
Expand Down Expand Up @@ -1475,16 +1471,6 @@ int s_client_main(int argc, char **argv)
}
#endif

if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
BIO_printf(bio_err, "Bad split send fragment size\n");
goto end;
}

if (max_pipelines > SSL_MAX_PIPELINES) {
BIO_printf(bio_err, "Bad max pipelines value\n");
goto end;
}

#if !defined(OPENSSL_NO_NEXTPROTONEG)
next_proto.status = -1;
if (next_proto_neg_in) {
Expand Down Expand Up @@ -1606,11 +1592,26 @@ int s_client_main(int argc, char **argv)
if (async) {
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
}
if (split_send_fragment > 0) {
SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);

if (max_send_fragment > 0
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
prog, max_send_fragment);
goto end;
}

if (split_send_fragment > 0
&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
prog, split_send_fragment);
goto end;
}
if (max_pipelines > 0) {
SSL_CTX_set_max_pipelines(ctx, max_pipelines);

if (max_pipelines > 0
&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
prog, max_pipelines);
goto end;
}

if (read_buf_len > 0) {
Expand Down
53 changes: 28 additions & 25 deletions apps/s_server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -717,7 +717,8 @@ typedef enum OPTION_choice {
OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
OPT_SSL_CONFIG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
OPT_SSL_CONFIG,
OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN,
OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
Expand Down Expand Up @@ -856,11 +857,12 @@ const OPTIONS s_server_options[] = {
{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
{"ssl_config", OPT_SSL_CONFIG, 's',
"Configure SSL_CTX using the configuration 'val'"},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
"Size used to split data for encrypt pipelines"},
{"max_pipelines", OPT_MAX_PIPELINES, 'n',
{"max_pipelines", OPT_MAX_PIPELINES, 'p',
"Maximum number of encrypt/decrypt pipelines to be used"},
{"read_buf", OPT_READ_BUF, 'n',
{"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
Expand Down Expand Up @@ -999,6 +1001,7 @@ int s_server_main(int argc, char *argv[])
int s_tlsextstatus = 0;
#endif
int no_resume_ephemeral = 0;
unsigned int max_send_fragment = 0;
unsigned int split_send_fragment = 0, max_pipelines = 0;
const char *s_serverinfo_file = NULL;
const char *keylog_file = NULL;
Expand Down Expand Up @@ -1497,15 +1500,11 @@ int s_server_main(int argc, char *argv[])
case OPT_ASYNC:
async = 1;
break;
case OPT_MAX_SEND_FRAG:
max_send_fragment = atoi(opt_arg());
break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
if (split_send_fragment == 0) {
/*
* Not allowed - set to a deliberately bad value so we get an
* error message below
*/
split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
}
break;
case OPT_MAX_PIPELINES:
max_pipelines = atoi(opt_arg());
Expand Down Expand Up @@ -1562,16 +1561,6 @@ int s_server_main(int argc, char *argv[])
}
#endif

if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
BIO_printf(bio_err, "Bad split send fragment size\n");
goto end;
}

if (max_pipelines > SSL_MAX_PIPELINES) {
BIO_printf(bio_err, "Bad max pipelines value\n");
goto end;
}

if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
Expand Down Expand Up @@ -1760,11 +1749,25 @@ int s_server_main(int argc, char *argv[])
if (async) {
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
}
if (split_send_fragment > 0) {
SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);

if (max_send_fragment > 0
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
prog, max_send_fragment);
goto end;
}

if (split_send_fragment > 0
&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
prog, split_send_fragment);
goto end;
}
if (max_pipelines > 0) {
SSL_CTX_set_max_pipelines(ctx, max_pipelines);
if (max_pipelines > 0
&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
prog, max_pipelines);
goto end;
}

if (read_buf_len > 0) {
Expand Down
11 changes: 9 additions & 2 deletions doc/man1/s_client.pod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ B<openssl> B<s_client>
[B<-sctp>]
[B<-fallback_scsv>]
[B<-async>]
[B<-max_send_frag>]
[B<-split_send_frag>]
[B<-max_pipelines>]
[B<-read_buf>]
Expand Down Expand Up @@ -416,6 +417,11 @@ asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).

=item B<-max_send_frag int>

The maximum size of data fragment to send.
See L<SSL_CTX_set_max_send_fragment(3)> for further information.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, SSL_CTX_set_max_send_fragment says that it "will only accept a value in the range 512 - SSL3_RT_MAX_PLAIN_LENGTH." This kind of suggests that one should check for it's return value and at least issue warning that attempt is failed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean as it stands now it only checks for upper limit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checks added !


=item B<-split_send_frag int>

The size used to split data for encrypt pipelines. If more data is written in
Expand Down Expand Up @@ -643,8 +649,9 @@ information whenever a session is renegotiated.

=head1 SEE ALSO

L<SSL_CONF_cmd(3)>,
L<sess_id(1)>, L<s_server(1)>, L<ciphers(1)>
L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_server(1)>, L<ciphers(1)>,
L<SSL_CTX_set_max_send_fragment(3)>, L<SSL_CTX_set_split_send_fragment(3)>
L<SSL_CTX_set_max_pipelines(3)>

=head1 HISTORY

Expand Down
11 changes: 9 additions & 2 deletions doc/man1/s_server.pod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ B<openssl> B<s_server>
[B<-sctp>]
[B<-listen>]
[B<-async>]
[B<-max_send_frag>]
[B<-split_send_frag>]
[B<-max_pipelines>]
[B<-read_buf>]
Expand Down Expand Up @@ -376,6 +377,11 @@ asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).

=item B<-max_send_frag int>

The maximum size of data fragment to send.
See L<SSL_CTX_set_max_send_fragment(3)> for further information.

=item B<-split_send_frag int>

The size used to split data for encrypt pipelines. If more data is written in
Expand Down Expand Up @@ -638,8 +644,9 @@ unknown cipher suites a client says it supports.

=head1 SEE ALSO

L<SSL_CONF_cmd(3)>,
L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
L<SSL_CTX_set_max_send_fragment(3)>, L<SSL_CTX_set_split_send_fragment(3)>
L<SSL_CTX_set_max_pipelines(3)>

=head1 HISTORY

Expand Down