Merge pull request #7083 from KloolK/record-size-limit/parsing

Add parsing for Record Size Limit extension in TLS 1.3
2026-04-20 22:05:15 +00:00 · 2023-03-17 10:18:34 +00:00 · 2023-03-17 10:18:34 +00:00 · 0e2b06a1ce
commit 0e2b06a1ce
parent 9f02a4177b 1a38e54436
11 changed files with 169 additions and 26 deletions
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -3943,6 +3943,21 @@ component_test_tls13_no_compatibility_mode () {
    tests/ssl-opt.sh
 }

+component_test_tls13_only_record_size_limit () {
+    msg "build: TLS 1.3 only from default, record size limit extension enabled"
+    scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
+    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
+
+    msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled"
+    cd tests; ./test_suite_ssl; cd ..
+
+    msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension tests only)"
+    # Both the server and the client will currently abort the handshake when they encounter the
+    # record size limit extension. There is no way to prevent gnutls-cli from sending the extension
+    # which makes all G_NEXT_CLI + P_SRV tests fail. Thus, run only the tests for the this extension.
+    tests/ssl-opt.sh -f "Record Size Limit"
+}
+
 component_build_mingw () {
    msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -4748,32 +4748,37 @@ run_test    "Max fragment length: DTLS client, larger message" \

 # Tests for Record Size Limit extension

-# gnutls feature tests: check if the record size limit extension is supported with TLS 1.2.
-requires_gnutls_record_size_limit
-run_test    "Record Size Limit: Test gnutls record size limit feature" \
-            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+CIPHER-ALL --disable-client-cert -d 4" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2 -V -d 4" \
-            0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'"\
-            -s "Parsing extension 'Record Size Limit/28' (2 bytes)" \
-            -s "Preparing extension (Record Size Limit/28) for 'TLS 1.2 server hello'" \
-            -c "Parsing extension 'Record Size Limit/28' (2 bytes)" \
-            -s "Version: TLS1.2" \
-            -c "Version: TLS1.2"
-
-# gnutls feature tests: check if the record size limit extension is supported with TLS 1.3.
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
-run_test    "Record Size Limit: TLS 1.3: Test gnutls record size limit feature" \
-            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL --disable-client-cert -d 4" \
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server-side parsing, debug output and fatal alert" \
+            "$P_SRV debug_level=3 force_version=tls13" \
            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
+            1 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 16385 Bytes" \
+            -c "Received alert \[110]: An unsupported extension was sent"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Client-side parsing, debug output and fatal alert" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
+            "$P_CLI debug_level=4 force_version=tls13" \
            0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'"\
-            -s "Parsing extension 'Record Size Limit/28' (2 bytes)" \
-            -s "Preparing extension (Record Size Limit/28) for 'encrypted extensions'" \
-            -c "Parsing extension 'Record Size Limit/28' (2 bytes)" \
-            -s "Version: TLS1.3" \
-            -c "Version: TLS1.3"
+            -s "Preparing extension (Record Size Limit/28) for 'encrypted extensions'"
+# The P_CLI can not yet send the Record Size Limit extension. Thus, the G_NEXT_SRV does not send
+# a response in its EncryptedExtensions record.
+#            -s "Parsing extension 'Record Size Limit/28 (2 bytes)" \
+#            -s "Sending extension Record Size Limit/28 (2 bytes)" \
+#            -c "EncryptedExtensions: record_size_limit(28) extension received."\
+#            -c "found record_size_limit extension" \
+#            -c "RecordSizeLimit: 16385 Bytes" \
+#            -s "Received alert \[110]: An unsupported extension was sent"

 # Tests for renegotiation