(D)TLS: Refactoring around the MFL extension

author: Peter Dettman <peter.dettman@bouncycastle.org> 2023-07-06 17:15:29 +0700
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2023-07-06 17:15:29 +0700
commit: 806f7224c9c1f6708358115f0bb8a3fcfd0a0663 (patch)
tree: d705b3a45e0e86a0345430286d1a458a081c1579
parent: DTLS: Use SecurityParameters.m_resumedSession for resumption tracking (diff)
download: BouncyCastle.NET-ed25519-806f7224c9c1f6708358115f0bb8a3fcfd0a0663.tar.xz
7 files changed, 32 insertions, 41 deletions
diff --git a/crypto/src/tls/DtlsClientProtocol.cs b/crypto/src/tls/DtlsClientProtocol.cs
index b6876bdd1..e96e161d4 100644
--- a/crypto/src/tls/DtlsClientProtocol.cs
+++ b/crypto/src/tls/DtlsClientProtocol.cs
@@ -893,9 +893,8 @@ namespace Org.BouncyCastle.Tls
                     securityParameters.m_encryptThenMac = serverSentEncryptThenMac;
                 }
 
-                securityParameters.m_maxFragmentLength = EvaluateMaxFragmentLengthExtension(
-                    securityParameters.IsResumedSession, sessionClientExtensions, sessionServerExtensions,
-                    AlertDescription.illegal_parameter);
+                securityParameters.m_maxFragmentLength = TlsUtilities.ProcessMaxFragmentLengthExtension(
+                    sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
 
                 securityParameters.m_truncatedHmac = TlsExtensionsUtilities.HasTruncatedHmacExtension(
                     sessionServerExtensions);
diff --git a/crypto/src/tls/DtlsProtocol.cs b/crypto/src/tls/DtlsProtocol.cs
index 745535148..566d07cb4 100644
--- a/crypto/src/tls/DtlsProtocol.cs
+++ b/crypto/src/tls/DtlsProtocol.cs
@@ -39,24 +39,6 @@ namespace Org.BouncyCastle.Tls
         }
 
         /// <exception cref="IOException"/>
-        internal static short EvaluateMaxFragmentLengthExtension(bool resumedSession,
-            IDictionary<int, byte[]> clientExtensions, IDictionary<int, byte[]> serverExtensions,
-            short alertDescription)
-        {
-            short maxFragmentLength = TlsExtensionsUtilities.GetMaxFragmentLengthExtension(serverExtensions);
-            if (maxFragmentLength >= 0)
-            {
-                if (!MaxFragmentLength.IsValid(maxFragmentLength)
-                    || (!resumedSession && maxFragmentLength != TlsExtensionsUtilities
-                        .GetMaxFragmentLengthExtension(clientExtensions)))
-                {
-                    throw new TlsFatalAlert(alertDescription);
-                }
-            }
-            return maxFragmentLength;
-        }
-
-        /// <exception cref="IOException"/>
         internal static byte[] GenerateCertificate(TlsContext context, Certificate certificate, Stream endPointHash)
         {
             MemoryStream buf = new MemoryStream();
diff --git a/crypto/src/tls/DtlsServerProtocol.cs b/crypto/src/tls/DtlsServerProtocol.cs
index 82c6ff290..66ab6d294 100644
--- a/crypto/src/tls/DtlsServerProtocol.cs
+++ b/crypto/src/tls/DtlsServerProtocol.cs
@@ -581,10 +581,12 @@ namespace Org.BouncyCastle.Tls
                 securityParameters.m_encryptThenMac = TlsExtensionsUtilities.HasEncryptThenMacExtension(
                     state.serverExtensions);
 
-                securityParameters.m_maxFragmentLength = EvaluateMaxFragmentLengthExtension(resumedSession,
-                    state.clientExtensions, state.serverExtensions, AlertDescription.internal_error);
+                securityParameters.m_maxFragmentLength = TlsUtilities.ProcessMaxFragmentLengthExtension(
+                    resumedSession ? null : state.clientExtensions, state.serverExtensions,
+                    AlertDescription.internal_error);
 
-                securityParameters.m_truncatedHmac = TlsExtensionsUtilities.HasTruncatedHmacExtension(state.serverExtensions);
+                securityParameters.m_truncatedHmac = TlsExtensionsUtilities.HasTruncatedHmacExtension(
+                    state.serverExtensions);
 
                 /*
                  * TODO It's surprising that there's no provision to allow a 'fresh' CertificateStatus to be sent in
diff --git a/crypto/src/tls/TlsClientProtocol.cs b/crypto/src/tls/TlsClientProtocol.cs
index 7b2f148d3..731638467 100644
--- a/crypto/src/tls/TlsClientProtocol.cs
+++ b/crypto/src/tls/TlsClientProtocol.cs
@@ -1306,8 +1306,8 @@ namespace Org.BouncyCastle.Tls
                     securityParameters.m_encryptThenMac = serverSentEncryptThenMAC;
                 }
 
-                securityParameters.m_maxFragmentLength = ProcessMaxFragmentLengthExtension(sessionClientExtensions,
-                    sessionServerExtensions, AlertDescription.illegal_parameter);
+                securityParameters.m_maxFragmentLength = TlsUtilities.ProcessMaxFragmentLengthExtension(
+                    sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
 
                 securityParameters.m_truncatedHmac = TlsExtensionsUtilities.HasTruncatedHmacExtension(
                     sessionServerExtensions);
@@ -1431,8 +1431,8 @@ namespace Org.BouncyCastle.Tls
                 sessionServerExtensions = m_sessionParameters.ReadServerExtensions();
             }
 
-            securityParameters.m_maxFragmentLength = ProcessMaxFragmentLengthExtension(sessionClientExtensions,
-                sessionServerExtensions, AlertDescription.illegal_parameter);
+            securityParameters.m_maxFragmentLength = TlsUtilities.ProcessMaxFragmentLengthExtension(
+                sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
 
             securityParameters.m_encryptThenMac = false;
             securityParameters.m_truncatedHmac = false;
diff --git a/crypto/src/tls/TlsProtocol.cs b/crypto/src/tls/TlsProtocol.cs
index 3689f3a76..9b8039a5e 100644
--- a/crypto/src/tls/TlsProtocol.cs
+++ b/crypto/src/tls/TlsProtocol.cs
@@ -1814,20 +1814,11 @@ namespace Org.BouncyCastle.Tls
         }
 
         /// <exception cref="IOException"/>
+        [Obsolete("Will be removed")]
         protected virtual short ProcessMaxFragmentLengthExtension(IDictionary<int, byte[]> clientExtensions,
             IDictionary<int, byte[]> serverExtensions, short alertDescription)
         {
-            short maxFragmentLength = TlsExtensionsUtilities.GetMaxFragmentLengthExtension(serverExtensions);
-            if (maxFragmentLength >= 0)
-            {
-                if (!MaxFragmentLength.IsValid(maxFragmentLength) ||
-                (clientExtensions != null &&
-                    maxFragmentLength != TlsExtensionsUtilities.GetMaxFragmentLengthExtension(clientExtensions)))
-                {
-                    throw new TlsFatalAlert(alertDescription);
-                }
-            }
-            return maxFragmentLength;
+            return TlsUtilities.ProcessMaxFragmentLengthExtension(clientExtensions, serverExtensions, alertDescription);
         }
 
         /// <exception cref="IOException"/>
diff --git a/crypto/src/tls/TlsServerProtocol.cs b/crypto/src/tls/TlsServerProtocol.cs
index 6d66b065d..def8ae49b 100644
--- a/crypto/src/tls/TlsServerProtocol.cs
+++ b/crypto/src/tls/TlsServerProtocol.cs
@@ -315,7 +315,7 @@ namespace Org.BouncyCastle.Tls
 
             if (serverEncryptedExtensions.Count > 0)
             {
-                securityParameters.m_maxFragmentLength = ProcessMaxFragmentLengthExtension(
+                securityParameters.m_maxFragmentLength = TlsUtilities.ProcessMaxFragmentLengthExtension(
                     securityParameters.IsResumedSession ? null : clientHelloExtensions, serverEncryptedExtensions,
                     AlertDescription.internal_error);
             }
@@ -692,7 +692,7 @@ namespace Org.BouncyCastle.Tls
                 securityParameters.m_encryptThenMac = TlsExtensionsUtilities.HasEncryptThenMacExtension(
                     m_serverExtensions);
 
-                securityParameters.m_maxFragmentLength = ProcessMaxFragmentLengthExtension(
+                securityParameters.m_maxFragmentLength = TlsUtilities.ProcessMaxFragmentLengthExtension(
                     resumedSession ? null : m_clientExtensions, m_serverExtensions, AlertDescription.internal_error);
 
                 securityParameters.m_truncatedHmac = TlsExtensionsUtilities.HasTruncatedHmacExtension(
diff --git a/crypto/src/tls/TlsUtilities.cs b/crypto/src/tls/TlsUtilities.cs
index 2f95e71ab..a9c7629d6 100644
--- a/crypto/src/tls/TlsUtilities.cs
+++ b/crypto/src/tls/TlsUtilities.cs
@@ -5731,6 +5731,23 @@ namespace Org.BouncyCastle.Tls
             return v;
         }
 
+        /// <exception cref="IOException"/>
+        internal static short ProcessMaxFragmentLengthExtension(IDictionary<int, byte[]> clientExtensions,
+            IDictionary<int, byte[]> serverExtensions, short alertDescription)
+        {
+            short maxFragmentLength = TlsExtensionsUtilities.GetMaxFragmentLengthExtension(serverExtensions);
+            if (maxFragmentLength >= 0)
+            {
+                if (!MaxFragmentLength.IsValid(maxFragmentLength) ||
+                    (clientExtensions != null &&
+                        maxFragmentLength != TlsExtensionsUtilities.GetMaxFragmentLengthExtension(clientExtensions)))
+                {
+                    throw new TlsFatalAlert(alertDescription);
+                }
+            }
+            return maxFragmentLength;
+        }
+
         // TODO[api] Not needed once GetHandshakeResendTimeMillis() has been added to TlsPeer
         internal static int GetHandshakeResendTimeMillis(TlsPeer tlsPeer)
         {
author	Peter Dettman <peter.dettman@bouncycastle.org>	2023-07-06 17:15:29 +0700
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2023-07-06 17:15:29 +0700
commit	806f7224c9c1f6708358115f0bb8a3fcfd0a0663 (patch)
tree	d705b3a45e0e86a0345430286d1a458a081c1579
parent	DTLS: Use SecurityParameters.m_resumedSession for resumption tracking (diff)
download	BouncyCastle.NET-ed25519-806f7224c9c1f6708358115f0bb8a3fcfd0a0663.tar.xz