Comply with the received Record Size Limit extension Fixes #7010 Signed-off-by: Jan Bruckner <jan@janbruckner.de>

commit: f482dcc6c7a6003a86a69948f1f05f4e9490967e [log] [tgz]
author: Jan Bruckner <jan@janbruckner.de> Wed Mar 15 09:09:06 2023 +0100
committer: Waleed Elmelegy <waleed.elmelegy@arm.com> Wed Dec 06 15:18:08 2023 +0000
tree: 2d5224708a320b30ee4dc3e1cbabd27b6ca69d1a
parent: d9c69d12acebe89dbdc023e66d25c05d84725aa0 [diff]
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 462597b..27e020d 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh

@@ -5709,11 +5709,8 @@
     msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled"
     cd tests; ./test_suite_ssl; cd ..
 
-    msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension tests only)"
-    # Both the server and the client will currently abort the handshake when they encounter the
-    # record size limit extension. There is no way to prevent gnutls-cli from sending the extension
-    # which makes all G_NEXT_CLI + P_SRV tests fail. Thus, run only the tests for the this extension.
-    tests/ssl-opt.sh -f "Record Size Limit"
+    msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension enabled)"
+    tests/ssl-opt.sh
 }
 
 component_build_mingw () {

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 4762285..427849d 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh

@@ -4837,22 +4837,24 @@
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Server-side parsing, debug output and fatal alert" \
+run_test    "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
             "$P_SRV debug_level=3 force_version=tls13" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
-            1 \
+            0 \
             -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
             -c "Sending extension Record Size Limit/28 (2 bytes)" \
             -s "ClientHello: record_size_limit(28) extension received."\
             -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 16385 Bytes" \
-            -c "Received alert \[110]: An unsupported extension was sent"
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 16384" \
+            -s "bytes written in 1 fragments"
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_gnutls_next_disable_tls13_compat
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Client-side parsing, debug output and fatal alert" \
+run_test    "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
             "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
             "$P_CLI debug_level=4 force_version=tls13" \
             0 \
@@ -4863,8 +4865,162 @@
 #            -s "Sending extension Record Size Limit/28 (2 bytes)" \
 #            -c "EncryptedExtensions: record_size_limit(28) extension received."\
 #            -c "found record_size_limit extension" \
-#            -c "RecordSizeLimit: 16385 Bytes" \
-#            -s "Received alert \[110]: An unsupported extension was sent"
+#            -c "RecordSizeLimit: 16385 Bytes"
+
+# In the following (9) tests, --recordsize is the value used by the G_NEXT_CLI (3.7.2) to configure the
+# maximum record size using "https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-size".
+# There is currently a lower limit of 512, caused by this function not respecting the
+# "%ALLOW_SMALL_RECORDS" priority string and not using the more recent function
+# https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-recv-size.
+# There is currently an upper limit of 4096, caused by the cli arg parser:
+# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/src/cli-args.def#L395.
+# Thus, these tests are currently limit to that value range.
+# Moreover, the value sent in the extension is expected to be larger by one compared
+# to the value passed on the cli:
+# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=256" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "256 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=768" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "768 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=1280" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "1280 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "512 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "1536 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "2560 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "2048 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "6144 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "10240 bytes written in 3 fragments"
 
 # Tests for renegotiation
commit	f482dcc6c7a6003a86a69948f1f05f4e9490967e	[log] [tgz]
author	Jan Bruckner <jan@janbruckner.de>	Wed Mar 15 09:09:06 2023 +0100
committer	Waleed Elmelegy <waleed.elmelegy@arm.com>	Wed Dec 06 15:18:08 2023 +0000
tree	2d5224708a320b30ee4dc3e1cbabd27b6ca69d1a
parent	d9c69d12acebe89dbdc023e66d25c05d84725aa0 [diff]