diff options
| author | Simon Josefsson <simon@josefsson.org> | 2008-04-29 10:16:04 +0200 |
|---|---|---|
| committer | Simon Josefsson <simon@josefsson.org> | 2008-04-29 10:16:04 +0200 |
| commit | 46958a67b93bbb739bbc9a74ccb7e4dbd380ad76 (patch) | |
| tree | aabc73ccf33fbaa07d73ecf9dce76f78ea9e2e85 /lib | |
| parent | 21e52370c84be4d1a804070351024e8a212f8bc6 (diff) | |
| download | gnutls-46958a67b93bbb739bbc9a74ccb7e4dbd380ad76.tar.gz | |
Increase max handshake packet size. Add new error code for situation.
Thanks to Marc Haber <mh+debian-bugs@zugschlus.de> and "Marc F.
Clemente" <marc@mclemente.net> for reporting and providing test servers.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gnutls_buffers.c | 2 | ||||
| -rw-r--r-- | lib/gnutls_errors.c | 6 | ||||
| -rw-r--r-- | lib/gnutls_handshake.c | 6 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 4 |
4 files changed, 12 insertions, 6 deletions
diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 2caf266599..8d9be9cf2d 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -1185,7 +1185,7 @@ _gnutls_handshake_buffer_put (gnutls_session_t session, opaque * data, session->internals.max_handshake_data_buffer_size)) { gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_HANDSHAKE_TOO_LARGE; } _gnutls_buffers_log ("BUF[HSK]: Inserted %d bytes of Data\n", length); diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 707fc00e1b..456e31d718 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -249,6 +249,10 @@ static const gnutls_error_entry error_algorithms[] = { ERROR_ENTRY (N_("The specified algorithm or protocol is unknown."), GNUTLS_E_UNKNOWN_ALGORITHM, 1), + ERROR_ENTRY (N_("The handshake data size is too large (DoS?), " + "check gnutls_handshake_set_max_packet_length()."), + GNUTLS_E_HANDSHAKE_TOO_LARGE, 1), + {NULL, NULL, 0, 0} }; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 98aa86cb8f..39607a84a2 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -2961,9 +2961,11 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, * * This function will set the maximum size of a handshake message. * Handshake messages over this size are rejected. The default value - * is 16kb which is large enough. Set this to 0 if you do not want to - * set an upper limit. + * is 48kb which is typically large enough. Set this to 0 if you do + * not want to set an upper limit. * + * The reason for restricting the handshake message sizes are to + * limit Denial of Service attacks. **/ void gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max) diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index e37237d33c..8c3ff46ac1 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -47,7 +47,7 @@ /* The size of a handshake message should not * be larger than this value. */ -#define MAX_HANDSHAKE_PACKET_SIZE 16*1024 +#define MAX_HANDSHAKE_PACKET_SIZE 48*1024 #define TLS_RANDOM_SIZE 32 #define TLS_MAX_SESSION_ID_SIZE 32 |