summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--gtests/ssl_gtest/libssl_internals.c4
-rw-r--r--gtests/ssl_gtest/libssl_internals.h1
-rw-r--r--gtests/ssl_gtest/ssl_0rtt_unittest.cc9
-rw-r--r--gtests/ssl_gtest/tls_agent.cc4
-rw-r--r--gtests/ssl_gtest/tls_connect.cc1
-rw-r--r--lib/ssl/ssl3exthandle.c2
-rw-r--r--lib/ssl/sslexp.h8
-rw-r--r--lib/ssl/sslimpl.h2
-rw-r--r--lib/ssl/sslsock.c70
-rw-r--r--lib/ssl/tls13con.c4
10 files changed, 41 insertions, 64 deletions
diff --git a/gtests/ssl_gtest/libssl_internals.c b/gtests/ssl_gtest/libssl_internals.c
index 17b4ffe49..887d85278 100644
--- a/gtests/ssl_gtest/libssl_internals.c
+++ b/gtests/ssl_gtest/libssl_internals.c
@@ -332,6 +332,10 @@ void SSLInt_SetTicketLifetime(uint32_t lifetime) {
ssl_ticket_lifetime = lifetime;
}
+void SSLInt_SetMaxEarlyDataSize(uint32_t size) {
+ ssl_max_early_data_size = size;
+}
+
SECStatus SSLInt_SetSocketMaxEarlyDataSize(PRFileDesc *fd, uint32_t size) {
sslSocket *ss;
diff --git a/gtests/ssl_gtest/libssl_internals.h b/gtests/ssl_gtest/libssl_internals.h
index 3efb362c2..95d4afdaf 100644
--- a/gtests/ssl_gtest/libssl_internals.h
+++ b/gtests/ssl_gtest/libssl_internals.h
@@ -50,6 +50,7 @@ PK11SymKey *SSLInt_CipherSpecToKey(const ssl3CipherSpec *spec);
SSLCipherAlgorithm SSLInt_CipherSpecToAlgorithm(const ssl3CipherSpec *spec);
const PRUint8 *SSLInt_CipherSpecToIv(const ssl3CipherSpec *spec);
void SSLInt_SetTicketLifetime(uint32_t lifetime);
+void SSLInt_SetMaxEarlyDataSize(uint32_t size);
SECStatus SSLInt_SetSocketMaxEarlyDataSize(PRFileDesc *fd, uint32_t size);
void SSLInt_RolloverAntiReplay(void);
diff --git a/gtests/ssl_gtest/ssl_0rtt_unittest.cc b/gtests/ssl_gtest/ssl_0rtt_unittest.cc
index 2b4f21096..a60295490 100644
--- a/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+++ b/gtests/ssl_gtest/ssl_0rtt_unittest.cc
@@ -455,13 +455,10 @@ static void CheckEarlyDataLimit(const std::shared_ptr<TlsAgent>& agent,
}
TEST_P(TlsConnectTls13, SendTooMuchEarlyData) {
- EnsureTlsSetup();
const char* big_message = "0123456789abcdef";
const size_t short_size = strlen(big_message) - 1;
const PRInt32 short_length = static_cast<PRInt32>(short_size);
- EXPECT_EQ(SECSuccess,
- SSL_SetMaxEarlyDataSize(server_->ssl_fd(),
- static_cast<PRUint32>(short_size)));
+ SSLInt_SetMaxEarlyDataSize(static_cast<PRUint32>(short_size));
SetupForZeroRtt();
client_->Set0RttEnabled(true);
@@ -513,10 +510,8 @@ TEST_P(TlsConnectTls13, SendTooMuchEarlyData) {
}
TEST_P(TlsConnectTls13, ReceiveTooMuchEarlyData) {
- EnsureTlsSetup();
-
const size_t limit = 5;
- EXPECT_EQ(SECSuccess, SSL_SetMaxEarlyDataSize(server_->ssl_fd(), limit));
+ SSLInt_SetMaxEarlyDataSize(limit);
SetupForZeroRtt();
client_->Set0RttEnabled(true);
diff --git a/gtests/ssl_gtest/tls_agent.cc b/gtests/ssl_gtest/tls_agent.cc
index a038b572e..3b939bba8 100644
--- a/gtests/ssl_gtest/tls_agent.cc
+++ b/gtests/ssl_gtest/tls_agent.cc
@@ -182,10 +182,6 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
ScopedCERTCertList anchors(CERT_NewCertList());
rv = SSL_SetTrustAnchors(ssl_fd(), anchors.get());
if (rv != SECSuccess) return false;
-
- rv = SSL_SetMaxEarlyDataSize(ssl_fd(), 1024);
- EXPECT_EQ(SECSuccess, rv);
- if (rv != SECSuccess) return false;
} else {
rv = SSL_SetURL(ssl_fd(), "server");
EXPECT_EQ(SECSuccess, rv);
diff --git a/gtests/ssl_gtest/tls_connect.cc b/gtests/ssl_gtest/tls_connect.cc
index 966d79065..0116bda45 100644
--- a/gtests/ssl_gtest/tls_connect.cc
+++ b/gtests/ssl_gtest/tls_connect.cc
@@ -197,6 +197,7 @@ void TlsConnectTestBase::SetUp() {
SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
SSLInt_ClearSelfEncryptKey();
SSLInt_SetTicketLifetime(30);
+ SSLInt_SetMaxEarlyDataSize(1024);
SSL_SetupAntiReplay(1 * PR_USEC_PER_SEC, 1, 3);
ClearStats();
Init();
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
index 608332936..c0fbda7ab 100644
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -821,7 +821,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket,
if (rv != SECSuccess)
goto loser;
- rv = sslBuffer_AppendNumber(&plaintext, ss->opt.maxEarlyDataSize, 4);
+ rv = sslBuffer_AppendNumber(&plaintext, ssl_max_early_data_size, 4);
if (rv != SECSuccess)
goto loser;
diff --git a/lib/ssl/sslexp.h b/lib/ssl/sslexp.h
index 697dcb520..569add861 100644
--- a/lib/ssl/sslexp.h
+++ b/lib/ssl/sslexp.h
@@ -350,14 +350,6 @@ typedef SSLHelloRetryRequestAction(PR_CALLBACK *SSLHelloRetryRequestCallback)(
(PRFileDesc * _fd, PRBool _requestUpdate), \
(fd, requestUpdate))
-/* TLS 1.3 allows a server to set a limit on the number of bytes of early data
- * that can be received. This allows that limit to be set. Calling this function
- * has no effect on a client. */
-#define SSL_SetMaxEarlyDataSize(fd, size) \
- SSL_EXPERIMENTAL_API("SSL_SetMaxEarlyDataSize", \
- (PRFileDesc * _fd, PRUint32 _size), \
- (fd, size))
-
#define SSL_UseAltServerHelloType(fd, enable) \
SSL_DEPRECATED_EXPERIMENTAL_API
diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
index 5964e5005..dee9aa20f 100644
--- a/lib/ssl/sslimpl.h
+++ b/lib/ssl/sslimpl.h
@@ -230,7 +230,6 @@ typedef struct sslOptionsStr {
* list of supported protocols. */
SECItem nextProtoNego;
- PRUint32 maxEarlyDataSize;
unsigned int useSecurity : 1;
unsigned int useSocks : 1;
unsigned int requestCertificate : 1;
@@ -1076,6 +1075,7 @@ extern FILE *ssl_keylog_iob;
extern PZLock *ssl_keylog_lock;
extern PRUint32 ssl3_sid_timeout;
extern PRUint32 ssl_ticket_lifetime;
+extern PRUint32 ssl_max_early_data_size;
extern const char *const ssl3_cipherName[];
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
index 02ca3ad1b..4893cb9f9 100644
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -53,35 +53,34 @@ static const sslSocketOps ssl_secure_ops = { /* SSL. */
** default settings for socket enables
*/
static sslOptions ssl_defaults = {
- .nextProtoNego = { siBuffer, NULL, 0 },
- .maxEarlyDataSize = 1 << 16,
- .useSecurity = PR_TRUE,
- .useSocks = PR_FALSE,
- .requestCertificate = PR_FALSE,
- .requireCertificate = SSL_REQUIRE_FIRST_HANDSHAKE,
- .handshakeAsClient = PR_FALSE,
- .handshakeAsServer = PR_FALSE,
- .noCache = PR_FALSE,
- .fdx = PR_FALSE,
- .detectRollBack = PR_TRUE,
- .noLocks = PR_FALSE,
- .enableSessionTickets = PR_FALSE,
- .enableDeflate = PR_FALSE,
- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
- .requireSafeNegotiation = PR_FALSE,
- .enableFalseStart = PR_FALSE,
- .cbcRandomIV = PR_TRUE,
- .enableOCSPStapling = PR_FALSE,
- .enableNPN = PR_FALSE,
- .enableALPN = PR_TRUE,
- .reuseServerECDHEKey = PR_TRUE,
- .enableFallbackSCSV = PR_FALSE,
- .enableServerDhe = PR_TRUE,
- .enableExtendedMS = PR_FALSE,
- .enableSignedCertTimestamps = PR_FALSE,
- .requireDHENamedGroups = PR_FALSE,
- .enable0RttData = PR_FALSE,
- .enableTls13CompatMode = PR_FALSE
+ { siBuffer, NULL, 0 }, /* nextProtoNego */
+ PR_TRUE, /* useSecurity */
+ PR_FALSE, /* useSocks */
+ PR_FALSE, /* requestCertificate */
+ 2, /* requireCertificate */
+ PR_FALSE, /* handshakeAsClient */
+ PR_FALSE, /* handshakeAsServer */
+ PR_FALSE, /* noCache */
+ PR_FALSE, /* fdx */
+ PR_TRUE, /* detectRollBack */
+ PR_FALSE, /* noLocks */
+ PR_FALSE, /* enableSessionTickets */
+ PR_FALSE, /* enableDeflate */
+ 2, /* enableRenegotiation (default: requires extension) */
+ PR_FALSE, /* requireSafeNegotiation */
+ PR_FALSE, /* enableFalseStart */
+ PR_TRUE, /* cbcRandomIV */
+ PR_FALSE, /* enableOCSPStapling */
+ PR_FALSE, /* enableNPN */
+ PR_TRUE, /* enableALPN */
+ PR_TRUE, /* reuseServerECDHEKey */
+ PR_FALSE, /* enableFallbackSCSV */
+ PR_TRUE, /* enableServerDhe */
+ PR_FALSE, /* enableExtendedMS */
+ PR_FALSE, /* enableSignedCertTimestamps */
+ PR_FALSE, /* requireDHENamedGroups */
+ PR_FALSE, /* enable0RttData */
+ PR_FALSE /* enableTls13CompatMode */
};
/*
@@ -1253,18 +1252,6 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val)
return SECSuccess;
}
-SECStatus
-SSLExp_SetMaxEarlyDataSize(PRFileDesc *fd, PRUint32 size)
-{
- sslSocket *ss = ssl_FindSocket(fd);
- if (!ss) {
- return SECFailure; /* Error code already set. */
- }
-
- ss->opt.maxEarlyDataSize = size;
- return SECSuccess;
-}
-
/* function tells us if the cipher suite is one that we no longer support. */
static PRBool
ssl_IsRemovedCipherSuite(PRInt32 suite)
@@ -3945,7 +3932,6 @@ struct {
EXP(InstallExtensionHooks),
EXP(KeyUpdate),
EXP(SendSessionTicket),
- EXP(SetMaxEarlyDataSize),
EXP(SetupAntiReplay),
#endif
{ "", NULL }
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
index 0fbe78fe9..cef40e10d 100644
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -4418,6 +4418,8 @@ tls13_SendClientSecondRound(sslSocket *ss)
* } NewSessionTicket;
*/
+PRUint32 ssl_max_early_data_size = (2 << 16); /* Arbitrary limit. */
+
static SECStatus
tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
unsigned int appTokenLen)
@@ -4519,7 +4521,7 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
if (rv != SECSuccess)
goto loser;
- rv = ssl3_AppendHandshakeNumber(ss, ss->opt.maxEarlyDataSize, 4);
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_max_early_data_size, 4);
if (rv != SECSuccess)
goto loser;
}
View Lorry Controller Status