commit a0589e75a087f126a9584c4e91632e084cf8d0dd
author Jan Bruckner <jan@janbruckner.de> Wed Mar 15 11:04:45 2023 +0100
committer Jan Bruckner <jan@janbruckner.de> Wed Mar 15 11:04:45 2023 +0100
tree fd08265cec51416232c0c0d2aa87b795e5a75875
parent 151f64283ffc91d2c5d3ee7d122cd36ded42cec0

Changes from review

Signed-off-by: Jan Bruckner <jan@janbruckner.de>

library/ssl_misc.h

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ccf382e..6fe0414 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2666,6 +2666,9 @@
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
 
 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
+#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64)
+
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
                                                   const unsigned char *buf,

library/ssl_tls13_client.c

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 17c1bae..143056f 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2179,6 +2179,8 @@
 
                 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, p + extension_data_len);
 
+                // Return unconditionally here until we handle the record size limit correctly.
+                // Once handled correctly, only return in case of errors.
                 return ret;
 
                 break;

library/ssl_tls13_generic.c

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 0e7aa3a..75854fc 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1578,10 +1578,10 @@
                                                   const unsigned char *buf,
                                                   const unsigned char *end)
 {
-    const ptrdiff_t extension_data_len = end - buf;
-    if (extension_data_len != 2) {
+    const size_t extension_data_len = end - buf;
+    if (extension_data_len != MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
         MBEDTLS_SSL_DEBUG_MSG(2,
-                              ("record_size_limit extension has invalid length: %td Bytes",
+                              ("record_size_limit extension has invalid length: %zu Bytes",
                                extension_data_len));
 
         MBEDTLS_SSL_PEND_FATAL_ALERT(
@@ -1604,7 +1604,7 @@
      * smaller than 64.  An endpoint MUST treat receipt of a smaller value
      * as a fatal error and generate an "illegal_parameter" alert.
      */
-    if (record_size_limit < 64) {
+    if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) {
         MBEDTLS_SSL_PEND_FATAL_ALERT(
             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

library/ssl_tls13_server.c

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index de60a7a..1e1462c 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1591,6 +1591,8 @@
 
                 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, extension_data_end);
 
+                // Return unconditionally here until we handle the record size limit correctly.
+                // Once handled correctly, only return in case of errors.
                 return ret;
 
                 break;