Comply with the received Record Size Limit extension

Fixes #7010 Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2025-07-29 11:41:15 +03:00 · 2023-03-15 09:09:06 +01:00
parent d9c69d12ac
commit f482dcc6c7
9 changed files with 263 additions and 33 deletions
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -1714,7 +1714,7 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,

    MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));

-    /* RFC 8449, section 4
+    /* RFC 8449, section 4:
     *
     * Endpoints MUST NOT send a "record_size_limit" extension with a value
     * smaller than 64.  An endpoint MUST treat receipt of a smaller value
@ -1727,13 +1727,47 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
    }

-    MBEDTLS_SSL_DEBUG_MSG(
-        2, ("record_size_limit extension is still in development. Aborting handshake."));
+    ssl->session_negotiate->record_size_limit = record_size_limit;

-    MBEDTLS_SSL_PEND_FATAL_ALERT(
-        MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
-        MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
-    return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+    return 0;
+}
+
+static inline size_t ssl_compute_internal_record_size_limit(size_t record_size_limit)
+{
+    /* RFC 8449, section 4:
+     *
+     * This value [record_size_limit] is the length of the plaintext of a protected record.
+     * The value includes the content type and padding added in TLS 1.3 (that is, the complete
+     * length of TLSInnerPlaintext).
+     *
+     * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
+     * and subtract 1 (for the content type that will be added later)
+     */
+    return ((record_size_limit / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
+            MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
+}
+
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
+{
+    const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t record_size_limit = max_len;
+
+    if (ssl->session != NULL &&
+        ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session->record_size_limit < max_len) {
+        record_size_limit = ssl_compute_internal_record_size_limit(ssl->session->record_size_limit);
+    }
+
+    // TODO: this is currently untested
+    /* During a handshake, use the value being negotiated */
+    if (ssl->session_negotiate != NULL &&
+        ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session_negotiate->record_size_limit < max_len) {
+        record_size_limit = ssl_compute_internal_record_size_limit(
+            ssl->session_negotiate->record_size_limit);
+    }
+
+    return record_size_limit;
 }
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */