From f482dcc6c7a6003a86a69948f1f05f4e9490967e Mon Sep 17 00:00:00 2001
From: Jan Bruckner <jan@janbruckner.de>
Date: Wed, 15 Mar 2023 09:09:06 +0100
Subject: [PATCH 01/14] Comply with the received Record Size Limit extension

Fixes #7010

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
---
 include/mbedtls/ssl.h       |   5 ++
 library/ssl_misc.h          |  18 ++++
 library/ssl_tls.c           |  24 ++++++
 library/ssl_tls13_client.c  |  11 ++-
 library/ssl_tls13_generic.c |  48 +++++++++--
 library/ssl_tls13_server.c  |  13 ++-
 programs/ssl/ssl_server2.c  |   2 +-
 tests/scripts/all.sh        |   7 +-
 tests/ssl-opt.sh            | 168 ++++++++++++++++++++++++++++++++++--
 9 files changed, 263 insertions(+), 33 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 043988f25..39baa4213 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1188,6 +1188,11 @@ struct mbedtls_ssl_session {
     unsigned char MBEDTLS_PRIVATE(mfl_code);     /*!< MaxFragmentLength negotiated by peer */
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
+/*!< Record Size Limit for outgoing data requested by peer */
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    uint16_t MBEDTLS_PRIVATE(record_size_limit);
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
     unsigned char MBEDTLS_PRIVATE(exported);
 
     /** TLS version negotiated in the session. Used if and when renegotiating
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index eae192bac..6b799eebd 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -439,6 +439,24 @@ size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+/**
+ * \brief          Return the record size limit (in bytes) for
+ *                 the output buffer. This is less than the value requested by the
+ *                 peer (using RFC 8449), since it subtracts the space required for the
+ *                 content type and padding of the TLSInnerPlaintext struct (RFC 8446).
+ *                 Returns MBEDTLS_SSL_OUT_CONTENT_LEN if no limit was requested by the peer.
+ *
+ * \sa             mbedtls_ssl_get_max_out_record_payload()
+ *                 ssl_compute_internal_record_size_limit()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current record size limit for the output buffer.
+ */
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
 {
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4daf2e7ee..7a8c759fa 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2455,6 +2455,7 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
  *       uint8 ticket_flags;
  *       opaque resumption_key<0..255>;
  *       uint32 max_early_data_size;
+ *       uint16 record_size_limit;
  *       select ( endpoint ) {
  *            case client: ClientOnlyData;
  *            case server: uint64 ticket_creation_time;
@@ -2490,6 +2491,9 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
 #if defined(MBEDTLS_SSL_EARLY_DATA)
     needed += 4;                            /* max_early_data_size */
 #endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    needed += 2; /* record_size_limit */
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
 #if defined(MBEDTLS_HAVE_TIME)
     needed += 8; /* ticket_creation_time or ticket_reception_time */
@@ -2534,6 +2538,10 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
     MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
     p += 4;
 #endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
+    p += 2;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
     if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
@@ -2610,6 +2618,13 @@ static int ssl_tls13_session_load(mbedtls_ssl_session *session,
     session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
     p += 4;
 #endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    if (end - p < 2) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+    session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
+    p += 2;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
     if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
@@ -3458,6 +3473,7 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
     size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
 
 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+    !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
     !defined(MBEDTLS_SSL_PROTO_DTLS)
     (void) ssl;
 #endif
@@ -3470,6 +3486,14 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
     }
 #endif
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
+
+    if (max_len > record_size_limit) {
+        max_len = record_size_limit;
+    }
+#endif
+
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
         const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 052df7e66..1a246c4df 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2113,12 +2113,11 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
 
                 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
                     ssl, p, p + extension_data_len);
-
-                /* TODO: Return unconditionally here until we handle the record
-                 * size limit correctly. Once handled correctly, only return in
-                 * case of errors. */
-                return ret;
-
+                if (ret != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(
+                        1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
+                    return ret;
+                }
                 break;
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index cc77a9438..7c7aac80e 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1714,7 +1714,7 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));
 
-    /* RFC 8449, section 4
+    /* RFC 8449, section 4:
      *
      * Endpoints MUST NOT send a "record_size_limit" extension with a value
      * smaller than 64.  An endpoint MUST treat receipt of a smaller value
@@ -1727,13 +1727,47 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
     }
 
-    MBEDTLS_SSL_DEBUG_MSG(
-        2, ("record_size_limit extension is still in development. Aborting handshake."));
+    ssl->session_negotiate->record_size_limit = record_size_limit;
 
-    MBEDTLS_SSL_PEND_FATAL_ALERT(
-        MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
-        MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
-    return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+    return 0;
+}
+
+static inline size_t ssl_compute_internal_record_size_limit(size_t record_size_limit)
+{
+    /* RFC 8449, section 4:
+     *
+     * This value [record_size_limit] is the length of the plaintext of a protected record.
+     * The value includes the content type and padding added in TLS 1.3 (that is, the complete
+     * length of TLSInnerPlaintext).
+     *
+     * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
+     * and subtract 1 (for the content type that will be added later)
+     */
+    return ((record_size_limit / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
+            MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
+}
+
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
+{
+    const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t record_size_limit = max_len;
+
+    if (ssl->session != NULL &&
+        ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session->record_size_limit < max_len) {
+        record_size_limit = ssl_compute_internal_record_size_limit(ssl->session->record_size_limit);
+    }
+
+    // TODO: this is currently untested
+    /* During a handshake, use the value being negotiated */
+    if (ssl->session_negotiate != NULL &&
+        ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session_negotiate->record_size_limit < max_len) {
+        record_size_limit = ssl_compute_internal_record_size_limit(
+            ssl->session_negotiate->record_size_limit);
+    }
+
+    return record_size_limit;
 }
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index bfe805f49..9e2cbbf24 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1699,14 +1699,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
 
                 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
                     ssl, p, extension_data_end);
-
-                /*
-                 * TODO: Return unconditionally here until we handle the record
-                 *       size limit correctly.
-                 *       Once handled correctly, only return in case of errors.
-                 */
-                return ret;
-
+                if (ret != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(
+                        1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
+                    return ret;
+                }
                 break;
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index c96128b94..8f90345f5 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3520,7 +3520,7 @@ handshake:
         mbedtls_printf("    [ Record expansion is unknown ]\n");
     }
 
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) || defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
     mbedtls_printf("    [ Maximum incoming record payload length is %u ]\n",
                    (unsigned int) mbedtls_ssl_get_max_in_record_payload(&ssl));
     mbedtls_printf("    [ Maximum outgoing record payload length is %u ]\n",
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 462597ba6..27e020db9 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -5709,11 +5709,8 @@ component_test_tls13_only_record_size_limit () {
     msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled"
     cd tests; ./test_suite_ssl; cd ..
 
-    msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension tests only)"
-    # Both the server and the client will currently abort the handshake when they encounter the
-    # record size limit extension. There is no way to prevent gnutls-cli from sending the extension
-    # which makes all G_NEXT_CLI + P_SRV tests fail. Thus, run only the tests for the this extension.
-    tests/ssl-opt.sh -f "Record Size Limit"
+    msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension enabled)"
+    tests/ssl-opt.sh
 }
 
 component_build_mingw () {
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 4762285b0..427849d24 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4837,22 +4837,24 @@ run_test    "Max fragment length: DTLS client, larger message" \
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Server-side parsing, debug output and fatal alert" \
+run_test    "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
             "$P_SRV debug_level=3 force_version=tls13" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
-            1 \
+            0 \
             -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
             -c "Sending extension Record Size Limit/28 (2 bytes)" \
             -s "ClientHello: record_size_limit(28) extension received."\
             -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 16385 Bytes" \
-            -c "Received alert \[110]: An unsupported extension was sent"
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 16384" \
+            -s "bytes written in 1 fragments"
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_gnutls_next_disable_tls13_compat
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Client-side parsing, debug output and fatal alert" \
+run_test    "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
             "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
             "$P_CLI debug_level=4 force_version=tls13" \
             0 \
@@ -4863,8 +4865,162 @@ run_test    "Record Size Limit: TLS 1.3: Client-side parsing, debug output and f
 #            -s "Sending extension Record Size Limit/28 (2 bytes)" \
 #            -c "EncryptedExtensions: record_size_limit(28) extension received."\
 #            -c "found record_size_limit extension" \
-#            -c "RecordSizeLimit: 16385 Bytes" \
-#            -s "Received alert \[110]: An unsupported extension was sent"
+#            -c "RecordSizeLimit: 16385 Bytes"
+
+# In the following (9) tests, --recordsize is the value used by the G_NEXT_CLI (3.7.2) to configure the
+# maximum record size using "https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-size".
+# There is currently a lower limit of 512, caused by this function not respecting the
+# "%ALLOW_SMALL_RECORDS" priority string and not using the more recent function
+# https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-recv-size.
+# There is currently an upper limit of 4096, caused by the cli arg parser:
+# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/src/cli-args.def#L395.
+# Thus, these tests are currently limit to that value range.
+# Moreover, the value sent in the extension is expected to be larger by one compared
+# to the value passed on the cli:
+# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=256" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "256 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=768" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "768 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=1280" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "1280 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "512 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "1536 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "2560 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "2048 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "6144 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+            -c "Sending extension Record Size Limit/28 (2 bytes)" \
+            -s "ClientHello: record_size_limit(28) extension received."\
+            -s "found record_size_limit extension" \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "10240 bytes written in 3 fragments"
 
 # Tests for renegotiation
 

From 9aec1c71f2055c742ba854359cbc25f302224e14 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Tue, 5 Dec 2023 20:08:51 +0000
Subject: [PATCH 02/14] Add record size checking during handshake

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 include/mbedtls/ssl.h       |   2 +-
 library/ssl_misc.h          |   4 +-
 library/ssl_msg.c           |  12 ++--
 library/ssl_tls.c           |   5 +-
 library/ssl_tls13_generic.c |   3 +-
 tests/ssl-opt.sh            | 111 +++++++++++++++++++++---------------
 6 files changed, 79 insertions(+), 58 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 39baa4213..85ec7ab36 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1188,7 +1188,7 @@ struct mbedtls_ssl_session {
     unsigned char MBEDTLS_PRIVATE(mfl_code);     /*!< MaxFragmentLength negotiated by peer */
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
-/*!< Record Size Limit for outgoing data requested by peer */
+/*!< RecordSizeLimit received by peer */
 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
     uint16_t MBEDTLS_PRIVATE(record_size_limit);
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 6b799eebd..fabb48bd8 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -441,9 +441,9 @@ size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
 
 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
 /**
- * \brief          Return the record size limit (in bytes) for
+ * \brief          Return the RecordSizeLimit (in bytes) for
  *                 the output buffer. This is less than the value requested by the
- *                 peer (using RFC 8449), since it subtracts the space required for the
+ *                 peer (see RFC 8449), since it subtracts the space required for the
  *                 content type and padding of the TLSInnerPlaintext struct (RFC 8446).
  *                 Returns MBEDTLS_SSL_OUT_CONTENT_LEN if no limit was requested by the peer.
  *
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 6579c9686..29518c385 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -917,6 +917,7 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
 #endif
     size_t add_data_len;
     size_t post_avail;
+    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
 
     /* The SSL context is only used for debugging purposes! */
 #if !defined(MBEDTLS_DEBUG_C)
@@ -957,11 +958,11 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_BUF(4, "before encrypt: output payload",
                           data, rec->data_len);
 
-    if (rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+    if (rec->data_len > (size_t) max_out_record_len) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("Record content %" MBEDTLS_PRINTF_SIZET
                                   " too large, maximum %" MBEDTLS_PRINTF_SIZET,
                                   rec->data_len,
-                                  (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+                                  (size_t) max_out_record_len));
         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
     }
 
@@ -2742,7 +2743,7 @@ int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_t
      *    ...
      */
     *buf = ssl->out_msg + 4;
-    *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
+    *buf_len = mbedtls_ssl_get_max_out_record_payload(ssl) - 4;
 
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = hs_type;
@@ -2779,6 +2780,7 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     const size_t hs_len = ssl->out_msglen - 4;
     const unsigned char hs_type = ssl->out_msg[0];
+    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write handshake message"));
 
@@ -2817,12 +2819,12 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
      *
      * Note: We deliberately do not check for the MTU or MFL here.
      */
-    if (ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+    if (ssl->out_msglen > (size_t) max_out_record_len) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("Record too large: "
                                   "size %" MBEDTLS_PRINTF_SIZET
                                   ", maximum %" MBEDTLS_PRINTF_SIZET,
                                   ssl->out_msglen,
-                                  (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+                                  (size_t) max_out_record_len));
         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
     }
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 7a8c759fa..419185c56 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7004,6 +7004,7 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
     const mbedtls_x509_crt *crt;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
         ssl->handshake->ciphersuite_info;
+    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
 
@@ -7048,10 +7049,10 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
 
     while (crt != NULL) {
         n = crt->raw.len;
-        if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
+        if (n > max_out_record_len - 3 - i) {
             MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
                                       " > %" MBEDTLS_PRINTF_SIZET,
-                                      i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+                                      i + 3 + n, (size_t) max_out_record_len));
             return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
         }
 
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 7c7aac80e..237502178 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1376,13 +1376,14 @@ static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl,
 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
 
     /* Write CCS message */
     MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
                              ssl, ssl->out_msg,
-                             ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
+                             ssl->out_msg + max_out_record_len,
                              &ssl->out_msglen));
 
     ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 427849d24..c6ae2cab7 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4837,6 +4837,7 @@ run_test    "Max fragment length: DTLS client, larger message" \
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 run_test    "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
             "$P_SRV debug_level=3 force_version=tls13" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
@@ -4854,6 +4855,7 @@ requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_gnutls_next_disable_tls13_compat
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 run_test    "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
             "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
             "$P_CLI debug_level=4 force_version=tls13" \
@@ -4878,57 +4880,67 @@ run_test    "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
 # Moreover, the value sent in the extension is expected to be larger by one compared
 # to the value passed on the cli:
 # https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
-requires_gnutls_tls1_3
-requires_gnutls_record_size_limit
-requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
-            "$P_SRV debug_level=3 force_version=tls13 response_size=256" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
-            0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
-            -s "RecordSizeLimit: 513 Bytes" \
-            -s "ClientHello: record_size_limit(28) extension exists." \
-            -s "Maximum outgoing record payload length is 511" \
-            -s "256 bytes written in 1 fragments"
-
-requires_gnutls_tls1_3
-requires_gnutls_record_size_limit
-requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
-            "$P_SRV debug_level=3 force_version=tls13 response_size=768" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
-            0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
-            -s "RecordSizeLimit: 513 Bytes" \
-            -s "ClientHello: record_size_limit(28) extension exists." \
-            -s "Maximum outgoing record payload length is 511" \
-            -s "768 bytes written in 2 fragments"
-
-requires_gnutls_tls1_3
-requires_gnutls_record_size_limit
-requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
-            "$P_SRV debug_level=3 force_version=tls13 response_size=1280" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
-            0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
-            -s "RecordSizeLimit: 513 Bytes" \
-            -s "ClientHello: record_size_limit(28) extension exists." \
-            -s "Maximum outgoing record payload length is 511" \
-            -s "1280 bytes written in 3 fragments"
+
+# Currently test certificates being used do not fit in 513 record size limit
+# so 513 record size limit tests will not pass until certificates size
+# is reduced.
+# TODO: use smaller certificates in during MbedTLS TLS 1.3 server testing.
+
+# requires_gnutls_tls1_3
+# requires_gnutls_record_size_limit
+# requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+# requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+# run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
+#             "$P_SRV debug_level=3 force_version=tls13 response_size=256" \
+#             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+#             0 \
+#             -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+#             -c "Sending extension Record Size Limit/28 (2 bytes)" \
+#             -s "ClientHello: record_size_limit(28) extension received."\
+#             -s "found record_size_limit extension" \
+#             -s "RecordSizeLimit: 513 Bytes" \
+#             -s "ClientHello: record_size_limit(28) extension exists." \
+#             -s "Maximum outgoing record payload length is 511" \
+#             -s "256 bytes written in 1 fragments"
+
+# requires_gnutls_tls1_3
+# requires_gnutls_record_size_limit
+# requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+# requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+# run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
+#             "$P_SRV debug_level=3 force_version=tls13 response_size=768" \
+#             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+#             0 \
+#             -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+#             -c "Sending extension Record Size Limit/28 (2 bytes)" \
+#             -s "ClientHello: record_size_limit(28) extension received."\
+#             -s "found record_size_limit extension" \
+#             -s "RecordSizeLimit: 513 Bytes" \
+#             -s "ClientHello: record_size_limit(28) extension exists." \
+#             -s "Maximum outgoing record payload length is 511" \
+#             -s "768 bytes written in 2 fragments"
+
+# requires_gnutls_tls1_3
+# requires_gnutls_record_size_limit
+# requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+# requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+# run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
+#             "$P_SRV debug_level=3 force_version=tls13 response_size=1280" \
+#             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
+#             0 \
+#             -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
+#             -c "Sending extension Record Size Limit/28 (2 bytes)" \
+#             -s "ClientHello: record_size_limit(28) extension received."\
+#             -s "found record_size_limit extension" \
+#             -s "RecordSizeLimit: 513 Bytes" \
+#             -s "ClientHello: record_size_limit(28) extension exists." \
+#             -s "Maximum outgoing record payload length is 511" \
+#             -s "1280 bytes written in 3 fragments"
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@@ -4945,6 +4957,7 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@@ -4961,6 +4974,7 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@@ -4977,6 +4991,7 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
@@ -4993,6 +5008,7 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
@@ -5009,6 +5025,7 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \

From 419f841511e0e26e846b6d512094fd935b03ef2d Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Thu, 7 Dec 2023 18:30:22 +0000
Subject: [PATCH 03/14] Skip checking on maximum fragment length during
 handshake

MbedTLS currently does not support maximum fragment length
during handshake so we skip it for now.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 library/ssl_tls.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 419185c56..4d6b95863 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3472,6 +3472,10 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
 {
     size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
 
+    if (ssl == NULL || ssl->conf == NULL) {
+        return max_len;
+    }
+
 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
     !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
     !defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -3479,10 +3483,14 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
 #endif
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-    const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
+    /* MbedTLS currently does not support maximum fragment length
+       during handshake so we skip it for now. */
+    if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
+        const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
 
-    if (max_len > mfl) {
-        max_len = mfl;
+        if (max_len > mfl) {
+            max_len = mfl;
+        }
     }
 #endif
 

From 05d670b71152520169672421018c588d0e17c294 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Thu, 14 Dec 2023 16:00:57 +0000
Subject: [PATCH 04/14] Revert "Skip checking on maximum fragment length during
 handshake"

This reverts commit 419f841511e0e26e846b6d512094fd935b03ef2d.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 library/ssl_tls.c | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4d6b95863..419185c56 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3472,10 +3472,6 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
 {
     size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
 
-    if (ssl == NULL || ssl->conf == NULL) {
-        return max_len;
-    }
-
 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
     !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
     !defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -3483,14 +3479,10 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
 #endif
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-    /* MbedTLS currently does not support maximum fragment length
-       during handshake so we skip it for now. */
-    if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
-        const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
+    const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
 
-        if (max_len > mfl) {
-            max_len = mfl;
-        }
+    if (max_len > mfl) {
+        max_len = mfl;
     }
 #endif
 

From 26e36983575e857e5a0364b11f20700bcdc6f9a2 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Thu, 14 Dec 2023 16:14:05 +0000
Subject: [PATCH 05/14] Revert back checking on handshake messages length

Revert back checking on handshake messages length due to
limitation on our fragmentation support of handshake
messages.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 library/ssl_msg.c           | 12 +++++-------
 library/ssl_tls.c           |  5 ++---
 library/ssl_tls13_generic.c |  3 +--
 tests/ssl-opt.sh            |  3 +--
 4 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 29518c385..6579c9686 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -917,7 +917,6 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
 #endif
     size_t add_data_len;
     size_t post_avail;
-    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
 
     /* The SSL context is only used for debugging purposes! */
 #if !defined(MBEDTLS_DEBUG_C)
@@ -958,11 +957,11 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_BUF(4, "before encrypt: output payload",
                           data, rec->data_len);
 
-    if (rec->data_len > (size_t) max_out_record_len) {
+    if (rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("Record content %" MBEDTLS_PRINTF_SIZET
                                   " too large, maximum %" MBEDTLS_PRINTF_SIZET,
                                   rec->data_len,
-                                  (size_t) max_out_record_len));
+                                  (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
     }
 
@@ -2743,7 +2742,7 @@ int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_t
      *    ...
      */
     *buf = ssl->out_msg + 4;
-    *buf_len = mbedtls_ssl_get_max_out_record_payload(ssl) - 4;
+    *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
 
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = hs_type;
@@ -2780,7 +2779,6 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     const size_t hs_len = ssl->out_msglen - 4;
     const unsigned char hs_type = ssl->out_msg[0];
-    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write handshake message"));
 
@@ -2819,12 +2817,12 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
      *
      * Note: We deliberately do not check for the MTU or MFL here.
      */
-    if (ssl->out_msglen > (size_t) max_out_record_len) {
+    if (ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("Record too large: "
                                   "size %" MBEDTLS_PRINTF_SIZET
                                   ", maximum %" MBEDTLS_PRINTF_SIZET,
                                   ssl->out_msglen,
-                                  (size_t) max_out_record_len));
+                                  (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
     }
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 419185c56..7a8c759fa 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7004,7 +7004,6 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
     const mbedtls_x509_crt *crt;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
         ssl->handshake->ciphersuite_info;
-    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
 
@@ -7049,10 +7048,10 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
 
     while (crt != NULL) {
         n = crt->raw.len;
-        if (n > max_out_record_len - 3 - i) {
+        if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
             MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
                                       " > %" MBEDTLS_PRINTF_SIZET,
-                                      i + 3 + n, (size_t) max_out_record_len));
+                                      i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
             return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
         }
 
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 237502178..7c7aac80e 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1376,14 +1376,13 @@ static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl,
 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    int max_out_record_len = mbedtls_ssl_get_max_out_record_payload(ssl);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
 
     /* Write CCS message */
     MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
                              ssl, ssl->out_msg,
-                             ssl->out_msg + max_out_record_len,
+                             ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
                              &ssl->out_msglen));
 
     ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index c6ae2cab7..8fd295f30 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4883,8 +4883,7 @@ run_test    "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
 
 # Currently test certificates being used do not fit in 513 record size limit
 # so 513 record size limit tests will not pass until certificates size
-# is reduced.
-# TODO: use smaller certificates in during MbedTLS TLS 1.3 server testing.
+# is reduced or handshake messages fragmentation is supported.
 
 # requires_gnutls_tls1_3
 # requires_gnutls_record_size_limit

From 049cd302ed13a516eef412bffa9753f77edb763f Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Wed, 20 Dec 2023 17:28:31 +0000
Subject: [PATCH 06/14] Refactor record size limit extension handling

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 include/mbedtls/ssl.h                |  2 +-
 library/ssl_tls.c                    | 45 ++++++++++++++++++++++++++--
 library/ssl_tls13_client.c           | 13 ++++++++
 library/ssl_tls13_generic.c          | 37 -----------------------
 tests/src/test_helpers/ssl_helpers.c |  4 +++
 tests/suites/test_suite_ssl.function |  4 +++
 6 files changed, 65 insertions(+), 40 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 85ec7ab36..3192e2a82 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1188,7 +1188,7 @@ struct mbedtls_ssl_session {
     unsigned char MBEDTLS_PRIVATE(mfl_code);     /*!< MaxFragmentLength negotiated by peer */
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
-/*!< RecordSizeLimit received by peer */
+/*!< RecordSizeLimit received from the peer */
 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
     uint16_t MBEDTLS_PRIVATE(record_size_limit);
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 7a8c759fa..914eec329 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2492,7 +2492,7 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
     needed += 4;                            /* max_early_data_size */
 #endif
 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
-    needed += 2; /* record_size_limit */
+    needed += 2;                            /* record_size_limit */
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
 #if defined(MBEDTLS_HAVE_TIME)
@@ -3420,6 +3420,31 @@ size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
     return max_len;
 }
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
+{
+    const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t record_size_limit = max_len;
+
+    if (ssl->session != NULL &&
+        ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session->record_size_limit < max_len) {
+        record_size_limit = ssl->session->record_size_limit;
+    }
+
+    // TODO: this is currently untested
+    /* During a handshake, use the value being negotiated */
+    if (ssl->session_negotiate != NULL &&
+        ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session_negotiate->record_size_limit < max_len) {
+        record_size_limit = ssl->session_negotiate->record_size_limit;
+    }
+
+    return record_size_limit;
+}
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
 {
     size_t max_len;
@@ -3491,6 +3516,21 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
 
     if (max_len > record_size_limit) {
         max_len = record_size_limit;
+        if (ssl->transform_out != NULL &&
+            ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+            /* RFC 8449, section 4:
+             *
+             * This value [record_size_limit] is the length of the plaintext
+             * of a protected record.
+             * The value includes the content type and padding added in TLS 1.3
+             * (that is, the complete length of TLSInnerPlaintext).
+             *
+             * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
+             * and subtract 1 (for the content type that will be added later)
+             */
+            max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
+                       MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
+            }
     }
 #endif
 
@@ -3516,7 +3556,8 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) &&        \
-    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    !defined(MBEDTLS_SSL_PROTO_DTLS) &&                 \
+    !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
     ((void) ssl);
 #endif
 
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 1a246c4df..503db5862 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2131,6 +2131,19 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
+    if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
+        (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
+        mbedtls_debug_print_msg(ssl,
+                                3,
+                                __FILE__,
+                                __LINE__,
+                                "Record size limit extension cannot be used with max fragment length extension");
+        MBEDTLS_SSL_PEND_FATAL_ALERT(
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+            MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+    }
+
     MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
                            handshake->received_extensions);
 
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 7c7aac80e..326811a60 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1732,43 +1732,6 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
     return 0;
 }
 
-static inline size_t ssl_compute_internal_record_size_limit(size_t record_size_limit)
-{
-    /* RFC 8449, section 4:
-     *
-     * This value [record_size_limit] is the length of the plaintext of a protected record.
-     * The value includes the content type and padding added in TLS 1.3 (that is, the complete
-     * length of TLSInnerPlaintext).
-     *
-     * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
-     * and subtract 1 (for the content type that will be added later)
-     */
-    return ((record_size_limit / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
-            MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
-}
-
-size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
-{
-    const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
-    size_t record_size_limit = max_len;
-
-    if (ssl->session != NULL &&
-        ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
-        ssl->session->record_size_limit < max_len) {
-        record_size_limit = ssl_compute_internal_record_size_limit(ssl->session->record_size_limit);
-    }
-
-    // TODO: this is currently untested
-    /* During a handshake, use the value being negotiated */
-    if (ssl->session_negotiate != NULL &&
-        ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
-        ssl->session_negotiate->record_size_limit < max_len) {
-        record_size_limit = ssl_compute_internal_record_size_limit(
-            ssl->session_negotiate->record_size_limit);
-    }
-
-    return record_size_limit;
-}
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index d02d30539..3d8937da6 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -1776,6 +1776,10 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session,
     }
 #endif /* MBEDTLS_SSL_CLI_C */
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    session->record_size_limit = 2048;
+#endif
+
     return 0;
 }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 05571a1dc..8a03d1b97 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -2096,6 +2096,10 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
     }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    TEST_ASSERT(original.record_size_limit == restored.record_size_limit);
+#endif
+
 exit:
     mbedtls_ssl_session_free(&original);
     mbedtls_ssl_session_free(&restored);

From 65e3046e183a8df70d7806180d3f0d8b3f970ac3 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Wed, 20 Dec 2023 17:55:10 +0000
Subject: [PATCH 07/14] Fix code style in ssl_tls.c

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 library/ssl_tls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 914eec329..452970ebe 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3530,7 +3530,7 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
              */
             max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
                        MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
-            }
+        }
     }
 #endif
 

From 6a971fd61a3fc0d52f4c31379dc3a2e0651b60f9 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Thu, 28 Dec 2023 17:48:16 +0000
Subject: [PATCH 08/14] Refactor and improve Record size limit handling

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 library/ssl_tls.c          | 81 +++++++++++++++++++-------------------
 library/ssl_tls13_client.c |  8 ++--
 2 files changed, 44 insertions(+), 45 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 452970ebe..250adfb28 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3387,6 +3387,31 @@ const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
     }
 }
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
+{
+    const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t record_size_limit = max_len;
+
+    if (ssl->session != NULL &&
+        ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session->record_size_limit < max_len) {
+        record_size_limit = ssl->session->record_size_limit;
+    }
+
+    // TODO: this is currently untested
+    /* During a handshake, use the value being negotiated */
+    if (ssl->session_negotiate != NULL &&
+        ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session_negotiate->record_size_limit < max_len) {
+        record_size_limit = ssl->session_negotiate->record_size_limit;
+    }
+
+    return record_size_limit;
+}
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
 {
@@ -3420,31 +3445,6 @@ size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
     return max_len;
 }
 
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
-
-size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
-{
-    const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
-    size_t record_size_limit = max_len;
-
-    if (ssl->session != NULL &&
-        ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
-        ssl->session->record_size_limit < max_len) {
-        record_size_limit = ssl->session->record_size_limit;
-    }
-
-    // TODO: this is currently untested
-    /* During a handshake, use the value being negotiated */
-    if (ssl->session_negotiate != NULL &&
-        ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
-        ssl->session_negotiate->record_size_limit < max_len) {
-        record_size_limit = ssl->session_negotiate->record_size_limit;
-    }
-
-    return record_size_limit;
-}
-#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
-
 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
 {
     size_t max_len;
@@ -3516,24 +3516,25 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
 
     if (max_len > record_size_limit) {
         max_len = record_size_limit;
-        if (ssl->transform_out != NULL &&
-            ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
-            /* RFC 8449, section 4:
-             *
-             * This value [record_size_limit] is the length of the plaintext
-             * of a protected record.
-             * The value includes the content type and padding added in TLS 1.3
-             * (that is, the complete length of TLSInnerPlaintext).
-             *
-             * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
-             * and subtract 1 (for the content type that will be added later)
-             */
-            max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
-                       MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
-        }
     }
 #endif
 
+    if (ssl->transform_out != NULL &&
+        ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+        /* RFC 8449, section 4:
+         *
+         * This value [record_size_limit] is the length of the plaintext
+         * of a protected record.
+         * The value includes the content type and padding added in TLS 1.3
+         * (that is, the complete length of TLSInnerPlaintext).
+         *
+         * Thus, round down to a multiple of MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
+         * and subtract 1 (for the content type that will be added later)
+         */
+        max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
+                   MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
+    }
+
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
         const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 503db5862..5775a3ea5 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2133,11 +2133,9 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
 
     if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
         (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
-        mbedtls_debug_print_msg(ssl,
-                                3,
-                                __FILE__,
-                                __LINE__,
-                                "Record size limit extension cannot be used with max fragment length extension");
+        MBEDTLS_SSL_DEBUG_MSG(3,
+                              (
+                                  "Record size limit extension cannot be used with max fragment length extension"));
         MBEDTLS_SSL_PEND_FATAL_ALERT(
             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

From 87a373eea689f4b3e1582e207b442ccb3c7ad6b6 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Thu, 28 Dec 2023 17:49:36 +0000
Subject: [PATCH 09/14] Improve Record size limit testing

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 tests/ssl-opt.sh | 131 +++++++++++++++++------------------------------
 1 file changed, 48 insertions(+), 83 deletions(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 8fd295f30..de89add8c 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4842,13 +4842,9 @@ run_test    "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
             "$P_SRV debug_level=3 force_version=tls13" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
             0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 16385 Bytes" \
             -s "ClientHello: record_size_limit(28) extension exists." \
-            -s "Maximum outgoing record payload length is 16384" \
+            -s "Maximum outgoing record payload length is 16383" \
             -s "bytes written in 1 fragments"
 
 requires_gnutls_tls1_3
@@ -4863,10 +4859,6 @@ run_test    "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
             -s "Preparing extension (Record Size Limit/28) for 'encrypted extensions'"
 # The P_CLI can not yet send the Record Size Limit extension. Thus, the G_NEXT_SRV does not send
 # a response in its EncryptedExtensions record.
-#            -s "Parsing extension 'Record Size Limit/28 (2 bytes)" \
-#            -s "Sending extension Record Size Limit/28 (2 bytes)" \
-#            -c "EncryptedExtensions: record_size_limit(28) extension received."\
-#            -c "found record_size_limit extension" \
 #            -c "RecordSizeLimit: 16385 Bytes"
 
 # In the following (9) tests, --recordsize is the value used by the G_NEXT_CLI (3.7.2) to configure the
@@ -4882,59 +4874,56 @@ run_test    "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
 # https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
 
 # Currently test certificates being used do not fit in 513 record size limit
-# so 513 record size limit tests will not pass until certificates size
-# is reduced or handshake messages fragmentation is supported.
+# so for 513 record size limit tests we use preshared key to avoid sending
+# the certificate.
 
-# requires_gnutls_tls1_3
-# requires_gnutls_record_size_limit
-# requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-# requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-# run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
-#             "$P_SRV debug_level=3 force_version=tls13 response_size=256" \
-#             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
-#             0 \
-#             -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-#             -c "Sending extension Record Size Limit/28 (2 bytes)" \
-#             -s "ClientHello: record_size_limit(28) extension received."\
-#             -s "found record_size_limit extension" \
-#             -s "RecordSizeLimit: 513 Bytes" \
-#             -s "ClientHello: record_size_limit(28) extension exists." \
-#             -s "Maximum outgoing record payload length is 511" \
-#             -s "256 bytes written in 1 fragments"
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+                    psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+                    response_size=256" \
+                    "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+            0 \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "256 bytes written in 1 fragments"
 
-# requires_gnutls_tls1_3
-# requires_gnutls_record_size_limit
-# requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-# requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-# run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
-#             "$P_SRV debug_level=3 force_version=tls13 response_size=768" \
-#             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
-#             0 \
-#             -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-#             -c "Sending extension Record Size Limit/28 (2 bytes)" \
-#             -s "ClientHello: record_size_limit(28) extension received."\
-#             -s "found record_size_limit extension" \
-#             -s "RecordSizeLimit: 513 Bytes" \
-#             -s "ClientHello: record_size_limit(28) extension exists." \
-#             -s "Maximum outgoing record payload length is 511" \
-#             -s "768 bytes written in 2 fragments"
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+                    psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+                    response_size=768" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+            0 \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "768 bytes written in 2 fragments"
 
-# requires_gnutls_tls1_3
-# requires_gnutls_record_size_limit
-# requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-# requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-# run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
-#             "$P_SRV debug_level=3 force_version=tls13 response_size=1280" \
-#             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 512" \
-#             0 \
-#             -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-#             -c "Sending extension Record Size Limit/28 (2 bytes)" \
-#             -s "ClientHello: record_size_limit(28) extension received."\
-#             -s "found record_size_limit extension" \
-#             -s "RecordSizeLimit: 513 Bytes" \
-#             -s "ClientHello: record_size_limit(28) extension exists." \
-#             -s "Maximum outgoing record payload length is 511" \
-#             -s "1280 bytes written in 3 fragments"
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+                    psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+                    response_size=1280" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+            0 \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "1280 bytes written in 3 fragments"
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
@@ -4944,10 +4933,6 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
             "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
             0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 1024 Bytes" \
             -s "ClientHello: record_size_limit(28) extension exists." \
             -s "Maximum outgoing record payload length is 1023" \
@@ -4961,10 +4946,6 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
             "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
             0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 1024 Bytes" \
             -s "ClientHello: record_size_limit(28) extension exists." \
             -s "Maximum outgoing record payload length is 1023" \
@@ -4978,10 +4959,6 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
             "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
             0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 1024 Bytes" \
             -s "ClientHello: record_size_limit(28) extension exists." \
             -s "Maximum outgoing record payload length is 1023" \
@@ -4995,10 +4972,6 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
             "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
             0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 4096 Bytes" \
             -s "ClientHello: record_size_limit(28) extension exists." \
             -s "Maximum outgoing record payload length is 4095" \
@@ -5012,10 +4985,6 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
             "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
             0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 4096 Bytes" \
             -s "ClientHello: record_size_limit(28) extension exists." \
             -s "Maximum outgoing record payload length is 4095" \
@@ -5029,10 +4998,6 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
             "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
             0 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
             -s "RecordSizeLimit: 4096 Bytes" \
             -s "ClientHello: record_size_limit(28) extension exists." \
             -s "Maximum outgoing record payload length is 4095" \

From ea03183bd7ddcae35349af9c79c8bdce780c2959 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Fri, 29 Dec 2023 15:36:51 +0000
Subject: [PATCH 10/14] Adjust TLS 1.3 tests to new maximum output changes

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 tests/ssl-opt.sh | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index de89add8c..197ca9f68 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -8589,20 +8589,20 @@ run_test    "Large client packet TLS 1.2 AEAD shorter tag" \
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Large client packet TLS 1.3 AEAD" \
             "$P_SRV" \
-            "$P_CLI request_size=16384 \
+            "$P_CLI request_size=16383 \
              force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
             0 \
-            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-            -s "Read from client: $MAX_CONTENT_LEN bytes read"
+            -c "16383 bytes written in $(fragments_for_write 16383) fragments" \
+            -s "Read from client: 16383 bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Large client packet TLS 1.3 AEAD shorter tag" \
             "$P_SRV" \
-            "$P_CLI request_size=16384 \
+            "$P_CLI request_size=16383 \
              force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
             0 \
-            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-            -s "Read from client: $MAX_CONTENT_LEN bytes read"
+            -c "16383 bytes written in $(fragments_for_write 16383) fragments" \
+            -s "Read from client: 16383 bytes read"
 
 # The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
 run_test    "Large server packet TLS 1.2 BlockCipher" \
@@ -8645,17 +8645,17 @@ run_test    "Large server packet TLS 1.2 AEAD shorter tag" \
 
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Large server packet TLS 1.3 AEAD" \
-            "$P_SRV response_size=16384" \
+            "$P_SRV response_size=16383" \
             "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
             0 \
-            -c "Read from server: 16384 bytes read"
+            -c "Read from server: 16383 bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Large server packet TLS 1.3 AEAD shorter tag" \
-            "$P_SRV response_size=16384" \
+            "$P_SRV response_size=16383" \
             "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
             0 \
-            -c "Read from server: 16384 bytes read"
+            -c "Read from server: 16383 bytes read"
 
 # Tests for restartable ECC
 

From bae705c12b4c8a17b8a20b6a0121beac183f2517 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Mon, 1 Jan 2024 14:21:21 +0000
Subject: [PATCH 11/14] Fix TLS 1.2 test to use TLS 1.2 maximum output size

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 tests/ssl-opt.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 197ca9f68..be736169a 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -8400,7 +8400,7 @@ run_test    "mbedtls_ssl_get_bytes_avail: extra data (*2)" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "mbedtls_ssl_get_bytes_avail: extra data (max)" \
-            "$P_SRV buffer_size=100" \
+            "$P_SRV buffer_size=100 force_version=tls12" \
             "$P_CLI request_size=$MAX_CONTENT_LEN" \
             0 \
             -s "Read from client: $MAX_CONTENT_LEN bytes read (100 + $((MAX_CONTENT_LEN - 100)))"

From 3d46b7f81a8ca9b0c128c8af26c5a7396b72a435 Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Mon, 1 Jan 2024 20:50:53 +0000
Subject: [PATCH 12/14] Fix Max fragmen length test to use TLS 1.2 maximum
 output size

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 tests/ssl-opt.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index be736169a..0c9a5c5ca 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4481,7 +4481,7 @@ run_test    "Session resume using cache, DTLS: openssl server" \
 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Max fragment length: enabled, default" \
-            "$P_SRV debug_level=3" \
+            "$P_SRV debug_level=3 force_version=tls12" \
             "$P_CLI debug_level=3" \
             0 \
             -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
@@ -4496,7 +4496,7 @@ run_test    "Max fragment length: enabled, default" \
 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Max fragment length: enabled, default, larger message" \
-            "$P_SRV debug_level=3" \
+            "$P_SRV debug_level=3 force_version=tls12" \
             "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             0 \
             -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
@@ -4534,7 +4534,7 @@ run_test    "Max fragment length, DTLS: enabled, default, larger message" \
 requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Max fragment length: disabled, larger message" \
-            "$P_SRV debug_level=3" \
+            "$P_SRV debug_level=3 force_version=tls12" \
             "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             0 \
             -C "Maximum incoming record payload length is 16384" \
@@ -4548,7 +4548,7 @@ run_test    "Max fragment length: disabled, larger message" \
 requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Max fragment length, DTLS: disabled, larger message" \
-            "$P_SRV debug_level=3 dtls=1" \
+            "$P_SRV debug_level=3 dtls=1 force_version=tls12" \
             "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             1 \
             -C "Maximum incoming record payload length is 16384" \

From 60f0f727c303e5131672710bf737aa8da8d419bf Mon Sep 17 00:00:00 2001
From: Waleed Elmelegy <waleed.elmelegy@arm.com>
Date: Thu, 4 Jan 2024 14:57:31 +0000
Subject: [PATCH 13/14] Add config dependencies to record size tests

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
---
 tests/ssl-opt.sh | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 0c9a5c5ca..92b3e171c 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4927,8 +4927,9 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@@ -4940,8 +4941,9 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@@ -4953,8 +4955,9 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
@@ -4966,8 +4969,9 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
@@ -4979,8 +4983,9 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
@@ -4992,8 +4997,9 @@ run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \
             "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \

From e2d3db5cfc977cd6a88e9e3d1bbfaf6f9dcb663c Mon Sep 17 00:00:00 2001
From: Waleed-Ziad Maamoun-Elmelegy
 <122474370+waleed-elmelegy-arm@users.noreply.github.com>
Date: Fri, 5 Jan 2024 14:19:16 +0000
Subject: [PATCH 14/14] Update mbedtls_ssl_get_output_record_size_limit
 signature

Co-authored-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Waleed-Ziad Maamoun-Elmelegy <122474370+waleed-elmelegy-arm@users.noreply.github.com>
---
 library/ssl_misc.h | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index fabb48bd8..c8de03609 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -441,18 +441,13 @@ size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
 
 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
 /**
- * \brief          Return the RecordSizeLimit (in bytes) for
- *                 the output buffer. This is less than the value requested by the
- *                 peer (see RFC 8449), since it subtracts the space required for the
- *                 content type and padding of the TLSInnerPlaintext struct (RFC 8446).
- *                 Returns MBEDTLS_SSL_OUT_CONTENT_LEN if no limit was requested by the peer.
- *
- * \sa             mbedtls_ssl_get_max_out_record_payload()
- *                 ssl_compute_internal_record_size_limit()
+ * \brief    Get the size limit in bytes for the protected outgoing records
+ *           as defined in RFC 8449
  *
  * \param ssl      SSL context
  *
- * \return         Current record size limit for the output buffer.
+ * \return         The size limit in bytes for the protected outgoing
+ *                 records as defined in RFC 8449.
  */
 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */