diff --git a/ChangeLog b/ChangeLog index 948e4c3da..7233d4d23 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,9 @@ Changes * Improve compatibility with some alternative CCM implementations by using CCM test vectors from RAM. +INTERNAL NOTE: need to bump soversion of libmbedtls: +- added new member 'mtu' to public 'mbedtls_ssl_conf' structure + = mbed TLS 2.12.0 branch released 2018-07-25 Security diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2d511a8ea..0283eee62 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -958,6 +958,10 @@ struct mbedtls_ssl_config unsigned int dhm_min_bitlen; /*!< min. bit length of the DHM prime */ #endif +#if defined(MBEDTLS_SSL_PROTO_DTLS) + uint16_t mtu; /*!< path mtu, used to fragment outoing messages */ +#endif + unsigned char max_major_ver; /*!< max. major version used */ unsigned char max_minor_ver; /*!< max. minor version used */ unsigned char min_major_ver; /*!< min. major version used */ @@ -2423,6 +2427,33 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, char cert_req_ca_list ); #endif /* MBEDTLS_SSL_SRV_C */ +#if defined(MBEDTLS_SSL_PROTO_DTLS) +/** + * \brief Set the Maximum Tranport Unit (MTU). + * This represents the maximum size of a datagram payload + * handled by the transport layer (usually UDP) as determined + * by the network link and stack. In practice, this controls + * the maximum size datagram the DTLS layer will pass to the + * \c f_send() callback set using \c mbedtls_ssl_set_bio(). + * + * \note This only controls the size of the packet we send. + * Client-side, you can request the server to use smaller + * records with \c mbedtls_conf_max_frag_len(). + * + * \note If both a MTU and a maximum fragment length have been + * configured (or negotiated with the peer), the lower limit + * is used. + * + * \note Values larger than \c MBEDTLS_SSL_OUT_CONTENT_LEN have no + * effect. This can only be used to decrease the maximum size + * of detagrams sent. + * + * \param conf SSL configuration + * \param mtu Value of the path MTU in bytes + */ +void mbedtls_ssl_conf_mtu( mbedtls_ssl_config *conf, uint16_t mtu ); +#endif /* MBEDTLS_SSL_PROTO_DTLS */ + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /** * \brief Set the maximum fragment length to emit and/or negotiate @@ -2433,6 +2464,18 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, * (Client: set maximum fragment length to emit *and* * negotiate with the server during handshake) * + * \note With TLS, this currently only affects ApplicationData (sent + * with \c mbedtls_ssl_read()), not handshake messages. + * With DTLS, this affects both ApplicationData and handshake. + * + * \note This sets the maximum length for a record's paylaod, + * excluding record overhead that will be added to it, see + * \c mbedtls_ssl_get_record_expansion(). + * + * \note For DTLS, it is also possible to set a limit for the total + * size of daragrams passed to the transport layer, including + * record overhead, see \c mbedtls_ssl_conf_mtu(). + * * \param conf SSL configuration * \param mfl_code Code for maximum fragment length (allowed values: * MBEDTLS_SSL_MAX_FRAG_LEN_512, MBEDTLS_SSL_MAX_FRAG_LEN_1024, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 86a279c0e..4b124ba8f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6750,6 +6750,13 @@ void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) } #endif +#if defined(MBEDTLS_SSL_PROTO_DTLS) +void mbedtls_ssl_conf_mtu( mbedtls_ssl_config *conf, uint16_t mtu ) +{ + conf->mtu = mtu; +} +#endif + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) {