Skip to content
GitLab

Multiple issues with handling record_size_limit extension

Description of problem:

There are multiple issues related to handling of the record_size_limit extension, but since there's just one reproducer script, I'm filing a single bug.

Individual issues

  1. record_size_limit extension does not influence renegotiation handshake records or is applied right-away after receiving the new ClientHello, while RFC states "Records are subject to the limits that were set in the handshake that produces the keys that are used to protect those records." this causes renegotiation with dropped extension and renegotiation with changed limit to fail with record_overflow
  2. gnutls sends smaller than possible value in TLS 1.3 - the limit in TLS 1.3 is 2**14 + 1. This causes HRR sanity, change size in TLS 1.3 session resumption, check if server accepts maximum size in TLS 1.3, too large record payload in TLS 1.3, check server sent size in TLS 1.3, drop extension in TLS 1.3 session resumption to fail
  3. a modified extension in 2nd CH in HRR handshake is not detected and handshake is not aborted. Test case modified extension in 2nd CH in HRR handshake.
  4. malformed extension, with bigger payload than specified is not rejected. This causes padded extension in TLS 1.3 and padded extension in TLS 1.2 to fail
  5. when extension is negotiated, the 1/n-1 record splitting in TLS 1.0 is disabled, this causes check if server accepts maximum size in TLS 1.0 and check server sent size in TLS 1.0 to fail
  6. Too large application_data records in TLS 1.2 are not detected when the extension is negotiated. This causes too large record in TLS 1.2 to fail
  7. GnuTLS does not advertise the extension during session resumption. This causes change size in TLS 1.2 resumption to fail
  8. the server sends too large records when minimal size is advertised by client (ignores the extension?!). This causes check if server accepts minimal size in TLS 1.2, check if server accepts minimal size in TLS 1.1 and check if server accepts minimal size in TLS 1.0 to fail

Version of gnutls used:

b527be10

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

local compile on Fedora 28

How reproducible:

chekout https://github.com/tomato42/tlsfuzzer/pull/494 run test-record-size-limit.py --reply-AD-size 821

Actual results:

Test end
successful: 12
failed: 21
  'change size in TLS 1.2 resumption'
  'change size in TLS 1.3 session resumption'
  'check if server accepts maximum size in TLS 1.0'
  'check if server accepts maximum size in TLS 1.3'
  'check if server accepts minimal size in TLS 1.0'
  'check if server accepts minimal size in TLS 1.1'
  'check if server accepts minimal size in TLS 1.2'
  'check if server accepts minimal size in TLS 1.3'
  'check interaction with sha256 prf'
  'check interaction with sha384 prf'
  'check server sent size in TLS 1.0'
  'check server sent size in TLS 1.3'
  'drop extension in TLS 1.3 session resumption'
  'HRR sanity'
  'modified extension in 2nd CH in HRR handshake'
  'padded extension in TLS 1.2'
  'padded extension in TLS 1.3'
  'renegotiation with changed limit'
  'renegotiation with dropped extension'
  'too large record in TLS 1.2'
  'too large record payload in TLS 1.3'

Expected results:

successful: 33
failed: 0