Split the maximum fragment length into two - an input and output MFL
Since the server might want to have a different maximum fragment length
for the outgoing messages than the negotiated one - introduce a new way of
computing it. This commit also adds additional ssl-opt.sh tests ensuring
that the maximum fragment lengths are set as expected.
mbedtls_ssl_get_max_frag_len() is now a deprecated function,
being an alias to mbedtls_ssl_get_output_max_frag_len(). The behaviour
of this function is the same as before.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 1a071fc..1c98a5e 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -3523,18 +3523,61 @@
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
/**
- * \brief Return the maximum fragment length (payload, in bytes).
- * This is the value negotiated with peer if any,
- * or the locally configured value.
+ * \brief Return the maximum fragment length (payload, in bytes) for
+ * the output buffer. For the client, this is the configured
+ * value. For the server, it is the minimum of two - the
+ * configured value and the negotiated one.
*
* \sa mbedtls_ssl_conf_max_frag_len()
* \sa mbedtls_ssl_get_max_record_payload()
*
* \param ssl SSL context
*
- * \return Current maximum fragment length.
+ * \return Current maximum fragment length for the output buffer.
*/
-size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
+size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief Return the maximum fragment length (payload, in bytes) for
+ * the input buffer. This is the negotiated maximum fragment
+ * length, or, if there is none, MBEDTLS_SSL_MAX_CONTENT_LEN.
+ * If it is not defined either, the value is 2^14. This function
+ * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
+ *
+ * \sa mbedtls_ssl_conf_max_frag_len()
+ * \sa mbedtls_ssl_get_max_record_payload()
+ *
+ * \param ssl SSL context
+ *
+ * \return Current maximum fragment length for the output buffer.
+ */
+size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief This function is a deprecated approach to getting the max
+ * fragment length. Its an alias for
+ * \c mbedtls_ssl_get_output_max_frag_len(), as the behaviour
+ * is the same. See \c mbedtls_ssl_get_output_max_frag_len() for
+ * more detail.
+ *
+ * \sa mbedtls_ssl_get_input_max_frag_len()
+ * \sa mbedtls_ssl_get_output_max_frag_len()
+ *
+ * \param ssl SSL context
+ *
+ * \return Current maximum fragment length for the output buffer.
+ */
+MBEDTLS_DEPRECATED size_t mbedtls_ssl_get_max_frag_len(
+ const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
/**
@@ -3555,7 +3598,8 @@
* when record compression is enabled.
*
* \sa mbedtls_ssl_set_mtu()
- * \sa mbedtls_ssl_get_max_frag_len()
+ * \sa mbedtls_ssl_get_output_max_frag_len()
+ * \sa mbedtls_ssl_get_input_max_frag_len()
* \sa mbedtls_ssl_get_record_expansion()
*
* \param ssl SSL context
@@ -3863,8 +3907,8 @@
* or negotiated with the peer), then:
* - with TLS, less bytes than requested are written.
* - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
- * \c mbedtls_ssl_get_max_frag_len() may be used to query the
- * active maximum fragment length.
+ * \c mbedtls_ssl_get_output_max_frag_len() may be used to
+ * query the active maximum fragment length.
*
* \note Attempting to write 0 bytes will result in an empty TLS
* application record being sent.