RFC 9146: Update RecordStream for completeness

1 files changed, 14 insertions, 2 deletions

diff --git a/crypto/src/tls/RecordStream.cs b/crypto/src/tls/RecordStream.cs

index ed1c8d871..5b5ceff34 100644
--- a/crypto/src/tls/RecordStream.cs
+++ b/crypto/src/tls/RecordStream.cs
@@ -4,6 +4,7 @@ using System.IO;
 using System.Runtime.ExceptionServices;
 
 using Org.BouncyCastle.Tls.Crypto;
+using Org.BouncyCastle.Tls.Crypto.Impl;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Tls
@@ -149,8 +150,19 @@ namespace Org.BouncyCastle.Tls
             // NOTE: For TLS 1.3, this only MIGHT be application data
             if (ContentType.application_data == recordType && m_handler.IsApplicationDataReady)
             {
-                applicationDataLimit = System.Math.Max(0, System.Math.Min(m_plaintextLimit,
-                    m_readCipher.GetPlaintextLimit(length)));
+                var cipher = m_readCipher;
+
+                int plaintextDecodeLimit;
+                if (cipher is AbstractTlsCipher abstractTlsCipher)
+                {
+                    plaintextDecodeLimit = abstractTlsCipher.GetPlaintextDecodeLimit(length);
+                }
+                else
+                {
+                    plaintextDecodeLimit = cipher.GetPlaintextLimit(length);
+                }
+
+                applicationDataLimit = System.Math.Max(0, System.Math.Min(m_plaintextLimit, plaintextDecodeLimit));
             }
 
             return new RecordPreview(recordSize, applicationDataLimit);