Limit TLS record size to 2^14

See rfc8446#section-5.1

Limit TLS record size to 2^14
See rfc8446#section-5.1
237f9f1d · Sergey Prokhorov · 7677fe11 · 237f9f1d · 237f9f1d · 237f9f1d
Unverified Commit 237f9f1d authored Aug 12, 2019 by Sergey Prokhorov
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 12 deletions

mtp_fake_tls.erl src/mtp_fake_tls.erl +5 -4

prop_mtp_codec.erl test/prop_mtp_codec.erl +3 -3

prop_mtp_fake_tls.erl test/prop_mtp_fake_tls.erl +5 -5

No files found.
--- a/src/mtp_fake_tls.erl
+++ b/src/mtp_fake_tls.erl
@@ -33,7 +33,8 @@
         extensions :: [{non_neg_integer(), any()}]
        }).

-define(MAX_PACKET_SIZE, 65535).      % sizeof(uint16) - 1
+-define(MAX_IN_PACKET_SIZE, 65535).      % sizeof(uint16) - 1
+-define(MAX_OUT_PACKET_SIZE, 16384).     % 2^14 https://tools.ietf.org/html/rfc8446#section-5.1

 -define(TLS_10_VERSION, 3, 1).
 -define(TLS_12_VERSION, 3, 3).
@@ -184,7 +185,7 @@ try_decode_packet(<<?TLS_REC_CHANGE_CIPHER, ?TLS_12_VERSION, Size:16/unsigned-bi
                    _Data:Size/binary, Tail/binary>>, St) ->
    %% "Change cipher" are ignored
    try_decode_packet(Tail, St);
-try_decode_packet(Bin, St) when byte_size(Bin) =< (?MAX_PACKET_SIZE + 5) ->  % 5 is ?TLS_12_DATA + Size:16 size
+try_decode_packet(Bin, St) when byte_size(Bin) =< (?MAX_IN_PACKET_SIZE + 5) ->  % 5 is ?TLS_12_DATA + Size:16 size
    {incomplete, St};
 try_decode_packet(Bin, _St) ->
    error({protocol_error, tls_max_size, byte_size(Bin)}).
@@ -207,9 +208,9 @@ decode_all(Bin, Acc, St0) ->
 encode_packet(Bin, St) ->
    {encode_as_frames(Bin), St}.

-encode_as_frames(Bin) when byte_size(Bin) =< ?MAX_PACKET_SIZE ->
+encode_as_frames(Bin) when byte_size(Bin) =< ?MAX_OUT_PACKET_SIZE ->
    as_tls_data_frame(Bin);
-encode_as_frames(<<Chunk:?MAX_PACKET_SIZE/binary, Tail/binary>>) ->
+encode_as_frames(<<Chunk:?MAX_OUT_PACKET_SIZE/binary, Tail/binary>>) ->
    [as_tls_data_frame(Chunk) | encode_as_frames(Tail)].

 as_tls_data_frame(Bin) ->

--- a/test/prop_mtp_codec.erl
+++ b/test/prop_mtp_codec.erl
@@ -167,9 +167,9 @@ prop_tls_big_stream() ->
    ?FORALL({Key, Iv, Stream}, tls_big_stream_arg_set(), tls_obfuscated_secure_stream(Key, Iv, Stream)).

 tls_big_stream_arg_set() ->
-    %% Packets more than 64kb but less than 512kb
-    Min = 64 * 1024 + 10,
-    Max = 512 * 1024,
+    %% Packets more than 2^14b but less than 128kb
+    Min = 16 * 1024 + 10,
+    Max = 128 * 1024,
    proper_types:tuple(
      [mtp_prop_gen:key(),
       mtp_prop_gen:iv(),

--- a/test/prop_mtp_fake_tls.erl
+++ b/test/prop_mtp_fake_tls.erl
@@ -9,10 +9,10 @@ prop_codec_small(doc) ->
    "Tests that any binary below 65535 bytes can be encoded and decoded back as single frame".

 prop_codec_small() ->
-    ?FORALL(Bin, mtp_prop_gen:binary(8, 65535), codec_small(Bin)).
+    ?FORALL(Bin, mtp_prop_gen:binary(8, 16 * 1024), codec_small(Bin)).

 codec_small(Bin) ->
-    %% fake_tls can split big packets to multiple TLS frames of 64kb
+    %% fake_tls can split big packets to multiple TLS frames of 2^14b
    Codec = mtp_fake_tls:new(),
    {Data, Codec1} = mtp_fake_tls:encode_packet(Bin, Codec),
    {ok, Decoded, <<>>, _} = mtp_fake_tls:try_decode_packet(iolist_to_binary(Data), Codec1),
@@ -23,7 +23,7 @@ prop_codec_big(doc) ->
    "Tests that big binaries will be split to multiple chunks".

 prop_codec_big() ->
-    ?FORALL(Bin, mtp_prop_gen:binary(65536, 75000), codec_big(Bin)).
+    ?FORALL(Bin, mtp_prop_gen:binary(16 * 1024, 65535), codec_big(Bin)).

 codec_big(Bin) ->
    Codec = mtp_fake_tls:new(),
@@ -35,10 +35,10 @@ codec_big(Bin) ->
    

 prop_stream(doc) ->
-    "Tests that set of packets of size below 65535b can be encoded and decoded back".
+    "Tests that set of packets of size below 2^14b can be encoded and decoded back".

 prop_stream() ->
-    ?FORALL(Stream, proper_types:list(mtp_prop_gen:binary(8, 20000)),
+    ?FORALL(Stream, proper_types:list(mtp_prop_gen:binary(8, 16000)),
           codec_stream(Stream)).

 codec_stream(Stream) ->