Changes from review

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-03-15 11:04:45 +01:00 · 2023-03-15 11:04:45 +01:00 · a0589e75a0
commit a0589e75a0
parent 151f64283f
5 changed files with 12 additions and 5 deletions
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@ -1550,7 +1550,7 @@
 /**
 * \def MBEDTLS_SSL_RECORD_SIZE_LIMIT
 *
- * Enable support for RFC 8449 record_size_limit extension in SSL.
+ * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only).
 *
 * \warning This extension is currently in development and must NOT be used except
 *          for testing purposes.
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -2666,6 +2666,9 @@ int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */

 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
+#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64)
+
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
                                                  const unsigned char *buf,
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -2179,6 +2179,8 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,

                ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, p + extension_data_len);

+                // Return unconditionally here until we handle the record size limit correctly.
+                // Once handled correctly, only return in case of errors.
                return ret;

                break;
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -1578,10 +1578,10 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
                                                  const unsigned char *buf,
                                                  const unsigned char *end)
 {
-    const ptrdiff_t extension_data_len = end - buf;
-    if (extension_data_len != 2) {
+    const size_t extension_data_len = end - buf;
+    if (extension_data_len != MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
        MBEDTLS_SSL_DEBUG_MSG(2,
-                              ("record_size_limit extension has invalid length: %td Bytes",
+                              ("record_size_limit extension has invalid length: %zu Bytes",
                               extension_data_len));

        MBEDTLS_SSL_PEND_FATAL_ALERT(
@ -1604,7 +1604,7 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
     * smaller than 64.  An endpoint MUST treat receipt of a smaller value
     * as a fatal error and generate an "illegal_parameter" alert.
     */
-    if (record_size_limit < 64) {
+    if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) {
        MBEDTLS_SSL_PEND_FATAL_ALERT(
            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
            MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -1591,6 +1591,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,

                ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, extension_data_end);

+                // Return unconditionally here until we handle the record size limit correctly.
+                // Once handled correctly, only return in case of errors.
                return ret;

                break;