commit 151f64283ffc91d2c5d3ee7d122cd36ded42cec0
author Jan Bruckner <jan@janbruckner.de> Fri Feb 10 12:45:19 2023 +0100
committer Jan Bruckner <jan@janbruckner.de> Tue Mar 14 08:41:25 2023 +0100
tree 892dd677aaa2794f17b7aad8e6ef3b41beb78d1b
parent 5a3629b6132c7dd4a517ebb6e572bb6dbaeb9888

Add parsing for Record Size Limit extension in TLS 1.3

Fixes #7007

Signed-off-by: Jan Bruckner <jan@janbruckner.de>

tests/scripts/all.sh

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 30185ad..4294382 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -3825,6 +3825,21 @@
     tests/ssl-opt.sh
 }
 
+component_test_tls13_only_record_size_limit () {
+    msg "build: TLS 1.3 only from default, record size limit extension enabled"
+    scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
+    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
+
+    msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled"
+    cd tests; ./test_suite_ssl; cd ..
+
+    msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension tests only)"
+    # Both the server and the client will currently abort the handshake when they encounter the
+    # record size limit extension. There is no way to prevent gnutls-cli from sending the extension
+    # which makes all G_NEXT_CLI + P_SRV tests fail. Thus, run only the tests for the this extension.
+    tests/ssl-opt.sh -f "Record Size Limit"
+}
+
 component_build_mingw () {
     msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
     make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index d73ef0f..f60edc5 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4727,32 +4727,37 @@
 
 # Tests for Record Size Limit extension
 
-# gnutls feature tests: check if the record size limit extension is supported with TLS 1.2.
-requires_gnutls_record_size_limit
-run_test    "Record Size Limit: Test gnutls record size limit feature" \
-            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+CIPHER-ALL --disable-client-cert -d 4" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2 -V -d 4" \
-            0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'"\
-            -s "Parsing extension 'Record Size Limit/28' (2 bytes)" \
-            -s "Preparing extension (Record Size Limit/28) for 'TLS 1.2 server hello'" \
-            -c "Parsing extension 'Record Size Limit/28' (2 bytes)" \
-            -s "Version: TLS1.2" \
-            -c "Version: TLS1.2"
-
-# gnutls feature tests: check if the record size limit extension is supported with TLS 1.3.
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
-run_test    "Record Size Limit: TLS 1.3: Test gnutls record size limit feature" \
-            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL --disable-client-cert -d 4" \
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server-side parsing, debug output and fatal alert" \
+            "$P_SRV debug_level=3 force_version=tls13" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
+            1 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 16385 Bytes" \
+            -c "Received alert \[110]: An unsupported extension was sent"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_gnutls_next_disable_tls13_compat
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Client-side parsing, debug output and fatal alert" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
+            "$P_CLI debug_level=4 force_version=tls13" \
             0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'"\
-            -s "Parsing extension 'Record Size Limit/28' (2 bytes)" \
-            -s "Preparing extension (Record Size Limit/28) for 'encrypted extensions'" \
-            -c "Parsing extension 'Record Size Limit/28' (2 bytes)" \
-            -s "Version: TLS1.3" \
-            -c "Version: TLS1.3"
+            -s "Preparing extension (Record Size Limit/28) for 'encrypted extensions'"
+# The P_CLI can not yet send the Record Size Limit extension. Thus, the G_NEXT_SRV does not send
+# a response in its EncryptedExtensions record.
+#            -s "Parsing extension 'Record Size Limit/28 (2 bytes)" \
+#            -s "Sending extension Record Size Limit/28 (2 bytes)" \
+#            -c "EncryptedExtensions: record_size_limit(28) extension received."\
+#            -c "found record_size_limit extension" \
+#            -c "RecordSizeLimit: 16385 Bytes" \
+#            -s "Received alert \[110]: An unsupported extension was sent"
 
 # Tests for renegotiation