commit f482dcc6c7a6003a86a69948f1f05f4e9490967e
author Jan Bruckner <jan@janbruckner.de> Wed Mar 15 09:09:06 2023 +0100
committer Waleed Elmelegy <waleed.elmelegy@arm.com> Wed Dec 06 15:18:08 2023 +0000
tree 2d5224708a320b30ee4dc3e1cbabd27b6ca69d1a
parent d9c69d12acebe89dbdc023e66d25c05d84725aa0

Comply with the received Record Size Limit extension

Fixes #7010

Signed-off-by: Jan Bruckner <jan@janbruckner.de>

library/ssl_tls13_generic.c

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index cc77a94..7c7aac8 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1714,7 +1714,7 @@
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));
 
-    /* RFC 8449, section 4
+    /* RFC 8449, section 4:
      *
      * Endpoints MUST NOT send a "record_size_limit" extension with a value
      * smaller than 64.  An endpoint MUST treat receipt of a smaller value
@@ -1727,13 +1727,47 @@
         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
     }
 
-    MBEDTLS_SSL_DEBUG_MSG(
-        2, ("record_size_limit extension is still in development. Aborting handshake."));
+    ssl->session_negotiate->record_size_limit = record_size_limit;
 
-    MBEDTLS_SSL_PEND_FATAL_ALERT(
-        MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
-        MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
-    return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+    return 0;
+}
+
+static inline size_t ssl_compute_internal_record_size_limit(size_t record_size_limit)
+{
+    /* RFC 8449, section 4:
+     *
+     * This value [record_size_limit] is the length of the plaintext of a protected record.
+     * The value includes the content type and padding added in TLS 1.3 (that is, the complete
+     * length of TLSInnerPlaintext).
+     *
+     * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
+     * and subtract 1 (for the content type that will be added later)
+     */
+    return ((record_size_limit / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
+            MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
+}
+
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
+{
+    const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t record_size_limit = max_len;
+
+    if (ssl->session != NULL &&
+        ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session->record_size_limit < max_len) {
+        record_size_limit = ssl_compute_internal_record_size_limit(ssl->session->record_size_limit);
+    }
+
+    // TODO: this is currently untested
+    /* During a handshake, use the value being negotiated */
+    if (ssl->session_negotiate != NULL &&
+        ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session_negotiate->record_size_limit < max_len) {
+        record_size_limit = ssl_compute_internal_record_size_limit(
+            ssl->session_negotiate->record_size_limit);
+    }
+
+    return record_size_limit;
 }
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */