Multiple issues with handling record_size_limit extension
Description of problem:
There are multiple issues related to handling of the record_size_limit extension, but since there's just one reproducer script, I'm filing a single bug.
Individual issues
- record_size_limit extension does not influence renegotiation handshake records or is applied right-away after receiving the new ClientHello, while RFC states "Records are subject to the limits that were set in the handshake that produces the keys that are used to protect those records." this causes
renegotiation with dropped extension
andrenegotiation with changed limit
to fail with record_overflow - gnutls sends smaller than possible value in TLS 1.3 - the limit in TLS 1.3 is 2**14 + 1. This causes
HRR sanity
,change size in TLS 1.3 session resumption
,check if server accepts maximum size in TLS 1.3
,too large record payload in TLS 1.3
,check server sent size in TLS 1.3
,drop extension in TLS 1.3 session resumption
to fail - a modified extension in 2nd CH in HRR handshake is not detected and handshake is not aborted. Test case
modified extension in 2nd CH in HRR handshake
. - malformed extension, with bigger payload than specified is not rejected. This causes
padded extension in TLS 1.3
andpadded extension in TLS 1.2
to fail - when extension is negotiated, the 1/n-1 record splitting in TLS 1.0 is disabled, this causes
check if server accepts maximum size in TLS 1.0
andcheck server sent size in TLS 1.0
to fail - Too large application_data records in TLS 1.2 are not detected when the extension is negotiated. This causes
too large record in TLS 1.2
to fail - GnuTLS does not advertise the extension during session resumption. This causes
change size in TLS 1.2 resumption
to fail - the server sends too large records when minimal size is advertised by client (ignores the extension?!). This causes
check if server accepts minimal size in TLS 1.2
,check if server accepts minimal size in TLS 1.1
andcheck if server accepts minimal size in TLS 1.0
to fail
Version of gnutls used:
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
local compile on Fedora 28
How reproducible:
chekout https://github.com/tomato42/tlsfuzzer/pull/494
run test-record-size-limit.py --reply-AD-size 821
Actual results:
Test end
successful: 12
failed: 21
'change size in TLS 1.2 resumption'
'change size in TLS 1.3 session resumption'
'check if server accepts maximum size in TLS 1.0'
'check if server accepts maximum size in TLS 1.3'
'check if server accepts minimal size in TLS 1.0'
'check if server accepts minimal size in TLS 1.1'
'check if server accepts minimal size in TLS 1.2'
'check if server accepts minimal size in TLS 1.3'
'check interaction with sha256 prf'
'check interaction with sha384 prf'
'check server sent size in TLS 1.0'
'check server sent size in TLS 1.3'
'drop extension in TLS 1.3 session resumption'
'HRR sanity'
'modified extension in 2nd CH in HRR handshake'
'padded extension in TLS 1.2'
'padded extension in TLS 1.3'
'renegotiation with changed limit'
'renegotiation with dropped extension'
'too large record in TLS 1.2'
'too large record payload in TLS 1.3'
Expected results:
successful: 33
failed: 0