diff options
author | Simon Josefsson <simon@josefsson.org> | 2008-04-29 10:16:04 +0200 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2008-04-29 10:16:04 +0200 |
commit | 46958a67b93bbb739bbc9a74ccb7e4dbd380ad76 (patch) | |
tree | aabc73ccf33fbaa07d73ecf9dce76f78ea9e2e85 | |
parent | 21e52370c84be4d1a804070351024e8a212f8bc6 (diff) | |
download | gnutls-46958a67b93bbb739bbc9a74ccb7e4dbd380ad76.tar.gz |
Increase max handshake packet size. Add new error code for situation.
Thanks to Marc Haber <mh+debian-bugs@zugschlus.de> and "Marc F.
Clemente" <marc@mclemente.net> for reporting and providing test servers.
-rw-r--r-- | NEWS | 13 | ||||
-rw-r--r-- | includes/gnutls/gnutls.h.in | 2 | ||||
-rw-r--r-- | lib/gnutls_buffers.c | 2 | ||||
-rw-r--r-- | lib/gnutls_errors.c | 6 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 6 | ||||
-rw-r--r-- | lib/gnutls_int.h | 4 |
6 files changed, 26 insertions, 7 deletions
@@ -5,6 +5,17 @@ See the end for copying conditions. * Version 2.3.8 (unreleased) +** Increase default handshake packet size limit to 48kb. +The old limit was 16kb and some servers send huge list of trusted CAs, +thus running into the limit. FYI, applications can further increase +this limit using gnutls_handshake_set_max_packet_length. Thanks to +Marc Haber <mh+debian-bugs@zugschlus.de> and "Marc F. Clemente" +<marc@mclemente.net> for reporting and providing test servers. + +** Add new error code when handshake is too large: GNUTLS_E_HANDSHAKE_TOO_LARGE +Before GNUTLS_E_MEMORY_ERROR was used, which could be confused with +other error situations. + ** Hide definitions in crypto.h. We have decided that the APIs defined in crypto.h are not stable enough for v2.4, so don't use any of those functions. @@ -15,7 +26,7 @@ correct name is found. ** Update of gnulib files. ** API and ABI modifications: -No changes since last version. +GNUTLS_E_HANDSHAKE_TOO_LARGE: ADDED. * Version 2.3.7 (released 2008-04-21) diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index 835b9fa738..2fe6493e23 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -1308,6 +1308,8 @@ extern "C" #define GNUTLS_E_CRYPTO_ALREADY_REGISTERED -209 +#define GNUTLS_E_HANDSHAKE_TOO_LARGE -210 + #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250 #define GNUTLS_E_APPLICATION_ERROR_MAX -65000 diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 2caf266599..8d9be9cf2d 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -1185,7 +1185,7 @@ _gnutls_handshake_buffer_put (gnutls_session_t session, opaque * data, session->internals.max_handshake_data_buffer_size)) { gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_HANDSHAKE_TOO_LARGE; } _gnutls_buffers_log ("BUF[HSK]: Inserted %d bytes of Data\n", length); diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 707fc00e1b..456e31d718 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -249,6 +249,10 @@ static const gnutls_error_entry error_algorithms[] = { ERROR_ENTRY (N_("The specified algorithm or protocol is unknown."), GNUTLS_E_UNKNOWN_ALGORITHM, 1), + ERROR_ENTRY (N_("The handshake data size is too large (DoS?), " + "check gnutls_handshake_set_max_packet_length()."), + GNUTLS_E_HANDSHAKE_TOO_LARGE, 1), + {NULL, NULL, 0, 0} }; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 98aa86cb8f..39607a84a2 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -2961,9 +2961,11 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, * * This function will set the maximum size of a handshake message. * Handshake messages over this size are rejected. The default value - * is 16kb which is large enough. Set this to 0 if you do not want to - * set an upper limit. + * is 48kb which is typically large enough. Set this to 0 if you do + * not want to set an upper limit. * + * The reason for restricting the handshake message sizes are to + * limit Denial of Service attacks. **/ void gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max) diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index e37237d33c..8c3ff46ac1 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -47,7 +47,7 @@ /* The size of a handshake message should not * be larger than this value. */ -#define MAX_HANDSHAKE_PACKET_SIZE 16*1024 +#define MAX_HANDSHAKE_PACKET_SIZE 48*1024 #define TLS_RANDOM_SIZE 32 #define TLS_MAX_SESSION_ID_SIZE 32 |