Add mbedtls_ssl_get_max_frag_len()
This is not very useful for TLS as mbedtls_ssl_write() will automatically
fragment and return the length used, and the application should check for that
anyway, but this is useful for DTLS where mbedtls_ssl_write() returns an
error, and the application needs to be able to query the maximum length
instead of just guessing.
diff --git a/ChangeLog b/ChangeLog
index 8d81524..c43be03 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,8 @@
compiler's command line.
* Prepend a "thread identifier" to debug messages (issue pointed out by
Hugo Leisink) (#210).
+ * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
+ length.
= mbed TLS 2.0.0 released 2015-07-13
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 288627b..dd799ab 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2027,6 +2027,26 @@
*/
int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief Return the maximum fragment length (payload, in bytes).
+ * This is the value negotiated with peer if any,
+ * or the locally configured value.
+ *
+ * \note With DTLS, \c mbedtls_ssl_write() will return an error if
+ * called with a larger length value.
+ * With TLS, \c mbedtls_ssl_write() will fragment the input if
+ * necessary and return the number of bytes written; it is up
+ * to the caller to call \c mbedtls_ssl_write() again in
+ * order to send the remaining bytes if any.
+ *
+ * \param ssl SSL context
+ *
+ * \return Current maximum fragment length.
+ */
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* \brief Return the peer certificate from the current connection
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9007562..283e80a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5862,6 +5862,29 @@
return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
}
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
+{
+ size_t max_len;
+
+ /*
+ * Assume mfl_code is correct since it was checked when set
+ */
+ max_len = mfl_code_to_length[ssl->conf->mfl_code];
+
+ /*
+ * Check if a smaller max length was negotiated
+ */
+ if( ssl->session_out != NULL &&
+ mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
+ {
+ max_len = mfl_code_to_length[ssl->session_out->mfl_code];
+ }
+
+ return max_len;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
{
@@ -6339,23 +6362,7 @@
{
int ret;
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- unsigned int max_len;
-#endif
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- /*
- * Assume mfl_code is correct since it was checked when set
- */
- max_len = mfl_code_to_length[ssl->conf->mfl_code];
-
- /*
- * Check if a smaller max length was negotiated
- */
- if( ssl->session_out != NULL &&
- mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
- {
- max_len = mfl_code_to_length[ssl->session_out->mfl_code];
- }
+ size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
if( len > max_len )
{
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 2e0ac1e..c60e710 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1240,6 +1240,11 @@
else
mbedtls_printf( " [ Record expansion is unknown (compression) ]\n" );
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ mbedtls_printf( " [ Maximum fragment length is %u ]\n",
+ (unsigned int) mbedtls_ssl_get_max_frag_len( &ssl ) );
+#endif
+
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
{
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 3aa05d5..e4940b8 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1946,6 +1946,11 @@
else
mbedtls_printf( " [ Record expansion is unknown (compression) ]\n" );
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ mbedtls_printf( " [ Maximum fragment length is %u ]\n",
+ (unsigned int) mbedtls_ssl_get_max_frag_len( &ssl ) );
+#endif
+
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
{
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index bd36e22..77db588 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1085,6 +1085,8 @@
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3" \
0 \
+ -c "Maximum fragment length is 16384" \
+ -s "Maximum fragment length is 16384" \
-C "client hello, adding max_fragment_length extension" \
-S "found max fragment length extension" \
-S "server hello, max_fragment_length extension" \
@@ -1094,6 +1096,8 @@
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 max_frag_len=4096" \
0 \
+ -c "Maximum fragment length is 4096" \
+ -s "Maximum fragment length is 4096" \
-c "client hello, adding max_fragment_length extension" \
-s "found max fragment length extension" \
-s "server hello, max_fragment_length extension" \
@@ -1103,6 +1107,8 @@
"$P_SRV debug_level=3 max_frag_len=4096" \
"$P_CLI debug_level=3" \
0 \
+ -c "Maximum fragment length is 16384" \
+ -s "Maximum fragment length is 4096" \
-C "client hello, adding max_fragment_length extension" \
-S "found max fragment length extension" \
-S "server hello, max_fragment_length extension" \
@@ -1113,6 +1119,7 @@
"$G_SRV" \
"$P_CLI debug_level=3 max_frag_len=4096" \
0 \
+ -c "Maximum fragment length is 4096" \
-c "client hello, adding max_fragment_length extension" \
-c "found max_fragment_length extension"
@@ -1120,6 +1127,8 @@
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
0 \
+ -c "Maximum fragment length is 2048" \
+ -s "Maximum fragment length is 2048" \
-c "client hello, adding max_fragment_length extension" \
-s "found max fragment length extension" \
-s "server hello, max_fragment_length extension" \
@@ -1131,6 +1140,8 @@
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
0 \
+ -c "Maximum fragment length is 2048" \
+ -s "Maximum fragment length is 2048" \
-c "client hello, adding max_fragment_length extension" \
-s "found max fragment length extension" \
-s "server hello, max_fragment_length extension" \
@@ -1143,6 +1154,8 @@
"$P_SRV debug_level=3 dtls=1" \
"$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1 \
+ -c "Maximum fragment length is 2048" \
+ -s "Maximum fragment length is 2048" \
-c "client hello, adding max_fragment_length extension" \
-s "found max fragment length extension" \
-s "server hello, max_fragment_length extension" \