eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add record size checking during handshake

Browse source 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
This commit is contained in:
Waleed Elmelegy 2023-12-05 20:08:51 +00:00
parent f482dcc6c7
commit 9aec1c71f2
6 changed files with 79 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

2
include/mbedtls/ssl.h
View file

@ -1188,7 +1188,7 @@ struct mbedtls_ssl_session {
unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */ unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
/*!< Record Size Limit for outgoing data requested by peer */ /*!< RecordSizeLimit received by peer */
#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
uint16_t MBEDTLS_PRIVATE(record_size_limit); uint16_t MBEDTLS_PRIVATE(record_size_limit);
#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */

4
library/ssl_misc.h
View file

@ -441,9 +441,9 @@ size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
/** /**
* \brief Return the record size limit (in bytes) for * \brief Return the RecordSizeLimit (in bytes) for
* the output buffer. This is less than the value requested by the * the output buffer. This is less than the value requested by the
* peer (using RFC 8449), since it subtracts the space required for the * peer (see RFC 8449), since it subtracts the space required for the
* content type and padding of the TLSInnerPlaintext struct (RFC 8446). * content type and padding of the TLSInnerPlaintext struct (RFC 8446).
* Returns MBEDTLS_SSL_OUT_CONTENT_LEN if no limit was requested by the peer. * Returns MBEDTLS_SSL_OUT_CONTENT_LEN if no limit was requested by the peer.
* *

12
library/ssl_msg.c
View file

@ -917,6 +917,7 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
#endif #endif
size_t add_data_len; size_t add_data_len;
size_t post_avail; size_t post_avail;
int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
/* The SSL context is only used for debugging purposes! */ /* The SSL context is only used for debugging purposes! */
#if !defined(MBEDTLS_DEBUG_C) #if !defined(MBEDTLS_DEBUG_C)
@ -957,11 +958,11 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_BUF(4, "before encrypt: output payload", MBEDTLS_SSL_DEBUG_BUF(4, "before encrypt: output payload",
data, rec->data_len); data, rec->data_len);
if (rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { if (rec->data_len > (size_t) max_out_record_len) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Record content %" MBEDTLS_PRINTF_SIZET MBEDTLS_SSL_DEBUG_MSG(1, ("Record content %" MBEDTLS_PRINTF_SIZET
" too large, maximum %" MBEDTLS_PRINTF_SIZET, " too large, maximum %" MBEDTLS_PRINTF_SIZET,
rec->data_len, rec->data_len,
(size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); (size_t) max_out_record_len));
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
} }
@ -2742,7 +2743,7 @@ int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_t
* ... * ...
*/ */
*buf = ssl->out_msg + 4; *buf = ssl->out_msg + 4;
*buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4; *buf_len = mbedtls_ssl_get_max_out_record_payload(ssl) - 4;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = hs_type; ssl->out_msg[0] = hs_type;
@ -2779,6 +2780,7 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const size_t hs_len = ssl->out_msglen - 4; const size_t hs_len = ssl->out_msglen - 4;
const unsigned char hs_type = ssl->out_msg[0]; const unsigned char hs_type = ssl->out_msg[0];
int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write handshake message")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> write handshake message"));
@ -2817,12 +2819,12 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
* *
* Note: We deliberately do not check for the MTU or MFL here. * Note: We deliberately do not check for the MTU or MFL here.
*/ */
if (ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN) { if (ssl->out_msglen > (size_t) max_out_record_len) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Record too large: " MBEDTLS_SSL_DEBUG_MSG(1, ("Record too large: "
"size %" MBEDTLS_PRINTF_SIZET "size %" MBEDTLS_PRINTF_SIZET
", maximum %" MBEDTLS_PRINTF_SIZET, ", maximum %" MBEDTLS_PRINTF_SIZET,
ssl->out_msglen, ssl->out_msglen,
(size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); (size_t) max_out_record_len));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR; return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
} }

5
library/ssl_tls.c
View file

@ -7004,6 +7004,7 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
const mbedtls_x509_crt *crt; const mbedtls_x509_crt *crt;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
@ -7048,10 +7049,10 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
while (crt != NULL) { while (crt != NULL) {
n = crt->raw.len; n = crt->raw.len;
if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) { if (n > max_out_record_len - 3 - i) {
MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
" > %" MBEDTLS_PRINTF_SIZET, " > %" MBEDTLS_PRINTF_SIZET,
i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); i + 3 + n, (size_t) max_out_record_len));
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
} }

3
library/ssl_tls13_generic.c
View file

@ -1376,13 +1376,14 @@ static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl,
int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl) int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
/* Write CCS message */ /* Write CCS message */
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body( MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
ssl, ssl->out_msg, ssl, ssl->out_msg,
ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, ssl->out_msg + max_out_record_len,
&ssl->out_msglen)); &ssl->out_msglen));
ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;

111
tests/ssl-opt.sh
View file

@ -4837,6 +4837,7 @@ run_test "Max fragment length: DTLS client, larger message" \
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_gnutls_record_size_limit requires_gnutls_record_size_limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \ run_test "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
"$P_SRV debug_level=3 force_version=tls13" \ "$P_SRV debug_level=3 force_version=tls13" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
@ -4854,6 +4855,7 @@ requires_gnutls_tls1_3
requires_gnutls_record_size_limit requires_gnutls_record_size_limit
requires_gnutls_next_disable_tls13_compat requires_gnutls_next_disable_tls13_compat
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \ run_test "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
"$P_CLI debug_level=4 force_version=tls13" \ "$P_CLI debug_level=4 force_version=tls13" \
@ -4878,57 +4880,67 @@ run_test "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
# Moreover, the value sent in the extension is expected to be larger by one compared # Moreover, the value sent in the extension is expected to be larger by one compared
# to the value passed on the cli: # to the value passed on the cli:
# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142 # https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
requires_gnutls_tls1_3
requires_gnutls_record_size_limit # Currently test certificates being used do not fit in 513 record size limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT # so 513 record size limit tests will not pass until certificates size
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \ # is reduced.
"$P_SRV debug_level=3 force_version=tls13 response_size=256" \ # TODO: use smaller certificates in during MbedTLS TLS 1.3 server testing.
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
0 \ # requires_gnutls_tls1_3
-c "Preparing extension (Record Size Limit/28) for 'client hello'" \ # requires_gnutls_record_size_limit
-c "Sending extension Record Size Limit/28 (2 bytes)" \ # requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-s "ClientHello: record_size_limit(28) extension received."\ # requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-s "found record_size_limit extension" \ # run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
-s "RecordSizeLimit: 513 Bytes" \ # "$P_SRV debug_level=3 force_version=tls13 response_size=256" \
-s "ClientHello: record_size_limit(28) extension exists." \ # "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
-s "Maximum outgoing record payload length is 511" \ # 0 \
-s "256 bytes written in 1 fragments" # -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
# -c "Sending extension Record Size Limit/28 (2 bytes)" \
requires_gnutls_tls1_3 # -s "ClientHello: record_size_limit(28) extension received."\
requires_gnutls_record_size_limit # -s "found record_size_limit extension" \
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT # -s "RecordSizeLimit: 513 Bytes" \
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \ # -s "ClientHello: record_size_limit(28) extension exists." \
"$P_SRV debug_level=3 force_version=tls13 response_size=768" \ # -s "Maximum outgoing record payload length is 511" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \ # -s "256 bytes written in 1 fragments"
0 \
-c "Preparing extension (Record Size Limit/28) for 'client hello'" \ # requires_gnutls_tls1_3
-c "Sending extension Record Size Limit/28 (2 bytes)" \ # requires_gnutls_record_size_limit
-s "ClientHello: record_size_limit(28) extension received."\ # requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-s "found record_size_limit extension" \ # requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-s "RecordSizeLimit: 513 Bytes" \ # run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
-s "ClientHello: record_size_limit(28) extension exists." \ # "$P_SRV debug_level=3 force_version=tls13 response_size=768" \
-s "Maximum outgoing record payload length is 511" \ # "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
-s "768 bytes written in 2 fragments" # 0 \
# -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
requires_gnutls_tls1_3 # -c "Sending extension Record Size Limit/28 (2 bytes)" \
requires_gnutls_record_size_limit # -s "ClientHello: record_size_limit(28) extension received."\
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT # -s "found record_size_limit extension" \
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \ # -s "RecordSizeLimit: 513 Bytes" \
"$P_SRV debug_level=3 force_version=tls13 response_size=1280" \ # -s "ClientHello: record_size_limit(28) extension exists." \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \ # -s "Maximum outgoing record payload length is 511" \
0 \ # -s "768 bytes written in 2 fragments"
-c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-c "Sending extension Record Size Limit/28 (2 bytes)" \ # requires_gnutls_tls1_3
-s "ClientHello: record_size_limit(28) extension received."\ # requires_gnutls_record_size_limit
-s "found record_size_limit extension" \ # requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-s "RecordSizeLimit: 513 Bytes" \ # requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-s "ClientHello: record_size_limit(28) extension exists." \ # run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
-s "Maximum outgoing record payload length is 511" \ # "$P_SRV debug_level=3 force_version=tls13 response_size=1280" \
-s "1280 bytes written in 3 fragments" # "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
# 0 \
# -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
# -c "Sending extension Record Size Limit/28 (2 bytes)" \
# -s "ClientHello: record_size_limit(28) extension received."\
# -s "found record_size_limit extension" \
# -s "RecordSizeLimit: 513 Bytes" \
# -s "ClientHello: record_size_limit(28) extension exists." \
# -s "Maximum outgoing record payload length is 511" \
# -s "1280 bytes written in 3 fragments"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_gnutls_record_size_limit requires_gnutls_record_size_limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \
"$P_SRV debug_level=3 force_version=tls13 response_size=512" \ "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@ -4945,6 +4957,7 @@ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_gnutls_record_size_limit requires_gnutls_record_size_limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \
"$P_SRV debug_level=3 force_version=tls13 response_size=1536" \ "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@ -4961,6 +4974,7 @@ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_gnutls_record_size_limit requires_gnutls_record_size_limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \
"$P_SRV debug_level=3 force_version=tls13 response_size=2560" \ "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@ -4977,6 +4991,7 @@ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_gnutls_record_size_limit requires_gnutls_record_size_limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \
"$P_SRV debug_level=3 force_version=tls13 response_size=2048" \ "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
@ -4993,6 +5008,7 @@ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_gnutls_record_size_limit requires_gnutls_record_size_limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \
"$P_SRV debug_level=3 force_version=tls13 response_size=6144" \ "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
@ -5009,6 +5025,7 @@ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_gnutls_record_size_limit requires_gnutls_record_size_limit
requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \ run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \
"$P_SRV debug_level=3 force_version=tls13 response_size=10240" \ "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \