15 files changed, 443 insertions, 157 deletions
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 0e5692df6d..f3beadec0d 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -35,8 +35,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	templates/template-generalized.tmpl data/privkey1.pem data/privkey2.pem data/privkey3.pem \
 	data/name-constraints-ip.pem data/cert-invalid-utf8.der data/very-long-dn.pem \
 	data/provable3072.pem data/provable2048.pem data/provable-dsa2048.pem \
-	data/provable-dsa2048-fips.pem templates/template-crq.tmpl \
-	templates/template-unique.tmpl data/template-unique.pem \
+	data/provable-dsa2048-fips.pem templates/template-crq.tmpl data/invalid-sig5.pem \
+	templates/template-unique.tmpl data/template-unique.pem data/invalid-sig4.pem \
 	templates/template-othername.tmpl data/template-othername.pem \
 	templates/template-othername-xmpp.tmpl data/template-othername-xmpp.pem \
 	templates/template-krb5name.tmpl data/crl-demo1.pem data/crl-demo2.pem data/crl-demo3.pem \
diff --git a/tests/cert-tests/data/invalid-sig4.pem b/tests/cert-tests/data/invalid-sig4.pem
new file mode 100644
index 0000000000..f039e3c18f
--- /dev/null
+++ b/tests/cert-tests/data/invalid-sig4.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1jCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
+EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
+l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
+6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
+ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
+N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
+HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
+gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
+St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
+EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
+Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
+JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTAOBgkqhkiG9w0B
+AQUEAUEDggEBAKu8vApdGJTjwbHDqExV1r60mPHuPBzNz/MkJFyWAydY/Dauoi+P
+8f7aKwLDM73I3UgiK2APpQMQ/Xf40O2WZ0/96kcgcFTcqQxVfuGWJYrZtdpXSr6N
+jklDY6VsTieHJetbbf6ifzgo4DarrTmlpWLEt1xYLKpdAWCmYmejwMdiI/TnbEbu
+tdOAaiIT0i0/dE/qr4xftDic267Or4QepvY0UVl50+N13LzX83PfkuzSIFlvnPuV
++JJ2GAp8Dyymyt6KYnvY885faL2PPsF0uxVyOhaDqQvmTZmc2FfsqAFRx29XNF6r
+SixC9k8ciXjeJk71b5NMFWsnVk0AVGx6t7c=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/invalid-sig5.pem b/tests/cert-tests/data/invalid-sig5.pem
new file mode 100644
index 0000000000..f7a148cf42
--- /dev/null
+++ b/tests/cert-tests/data/invalid-sig5.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDmjCCAlKgAwIBAgIMWXnRYyHbNWzuFxmzMD0GCSqGSIb3DQEBCjAwoA0wCwYJ
+YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL
+BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x
+DTALBgNVBAMTBENBLTEwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB
+oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDB
+uQ2UwKWT1BfN6H2B3svKL34aPW/+MTfN8McvExZsZYuQyRxeG8SV4uJ+GAtJ/Ml/
+eaUqiKG0pNCna846FUtAax/0quuVSaZ2xOVA3lMKj2frtRLJ3W6ZaglCHkZUHhII
+JEtE1s0F8aaaZ6X4/57OAi6uyFNuBSBsp3giQS6SrtFMbhq7OuSSt2T14XlVGvAI
+TiO7t21+Eukq2jDGOerUax4Yxki4l8589uXu5IQzZalj42hr9YKbNb75RAICNnY8
+jxCezc0o8KNoDF0IAK7UERz6uUQElUh/bdm0k3UV+uVA6t0disZ4gdenPuLsGSVD
+9fcbh/zFlv2V3A9HLJB3AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
+AQH/BAUDAwcEADAdBgNVHQ4EFgQU6h4fxmpkIoNy/qx6u4Z13H7WN+QwHwYDVR0j
+BBgwFoAUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZIhvcNAQEKMDCgDTALBglg
+hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAFGH
+zxWW8R95wmmuDecuKf31LEKPubtaeqMRqt2Vk2mGCQOxcerl6MMGyl3w46hEkAjU
+jAPwmNnB9xyEyqR5w2TYrpzsrnUcZn+6HzSiPTEJ0jhY2S8N2V+Bch1QgMwlgeaD
+bZrY6qAG6PeqoQ8XhZ8+1sI/IpQKJHmmBN+qYbLFxEPjE4QnBahPbKfbpMY0MMX0
+uuI2nSBKcYmkYiWBYdydpP24VfeoUP0V6bXc5rrDdCNGp+AxUID51GT0AoMf2FGK
+LeOLJtPqH7raz44pa1qezHq4gPeXC0Ende9j7IimpsdB6eDVle8UZipfeASq9XVL
+F430KTcS7x42r71NZUU=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig
index eaa75c7543..bc2774e1f5 100755
--- a/tests/cert-tests/invalid-sig
+++ b/tests/cert-tests/invalid-sig
@@ -59,4 +59,24 @@ if test "${rc}" = "0"; then
 	exit ${rc}
 fi
 
+#check whether different parameters in tbsCertificate than the outer signature is tolerated
+${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig4.pem"
+rc=$?
+
+# We're done.
+if test "${rc}" = "0"; then
+	echo "Verification of invalid signature (4) failed"
+	exit ${rc}
+fi
+
+#check whether different RSA-PSS parameters in tbsCertificate than the outer signature is tolerated
+${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/invalid-sig5.pem"
+rc=$?
+
+# We're done.
+if test "${rc}" = "0"; then
+	echo "Verification of invalid signature (4) failed"
+	exit ${rc}
+fi
+
 exit 0
diff --git a/tests/conv-utf8.c b/tests/conv-utf8.c
index 73f4ff3abd..9d630e73d0 100644
--- a/tests/conv-utf8.c
+++ b/tests/conv-utf8.c
@@ -35,7 +35,7 @@
 #include <cmocka.h>
 
 int _gnutls_utf8_to_ucs2(const void *data, size_t size,
-			 gnutls_datum_t * output);
+			 gnutls_datum_t * output, unsigned be);
 
 int _gnutls_ucs2_to_utf8(const void *data, size_t size,
 			 gnutls_datum_t * output, unsigned be);
@@ -60,7 +60,7 @@ static void PRINT(const char *str, unsigned char *val, unsigned int size)
 static void fname(void **glob_state) \
 { \
 	gnutls_datum_t out; \
-	int ret = _gnutls_utf8_to_ucs2(utf8, strlen(utf8), &out); \
+	int ret = _gnutls_utf8_to_ucs2(utf8, strlen(utf8), &out, 1); \
 	assert_int_equal(ret, 0); \
 	if (out.size != sizeof(utf16)-1 || memcmp(utf16, out.data, out.size) != 0) { PRINT("got:      ", out.data, out.size); \
 	PRINT("expected: ", (unsigned char*)utf16, sizeof(utf16)-1); } \
@@ -86,7 +86,7 @@ static void fname(void **glob_state) \
 static void fname(void **glob_state) \
 { \
 	gnutls_datum_t out; \
-	int ret = _gnutls_utf8_to_ucs2(utf8, utf8_size, &out); \
+	int ret = _gnutls_utf8_to_ucs2(utf8, utf8_size, &out, 1); \
 	assert_int_not_equal(ret, 0); \
 }
 
diff --git a/tests/pkcs11/pkcs11-token-raw.c b/tests/pkcs11/pkcs11-token-raw.c
index bbcb23eb81..c09e762cc5 100644
--- a/tests/pkcs11/pkcs11-token-raw.c
+++ b/tests/pkcs11/pkcs11-token-raw.c
@@ -57,6 +57,7 @@ static void tls_log_func(int level, const char *str)
 	fprintf(stderr, "|<%d>| %s", level, str);
 }
 
+#define TOKEN_NAME "whatever"
 void doit(void)
 {
 	int ret;
@@ -93,6 +94,42 @@ void doit(void)
 		exit(1);
 	}
 
+	{
+		static const char url[] = "pkcs11:token="TOKEN_NAME;
+
+		/* Testing a too small buffer */
+		size_t size = 1;
+		char *buf = gnutls_malloc(size);
+		assert(buf != NULL);
+		ret = gnutls_pkcs11_token_get_info(url,
+			GNUTLS_PKCS11_TOKEN_LABEL,
+			buf, &size);
+		assert(ret == GNUTLS_E_SHORT_MEMORY_BUFFER);
+		assert(size == strlen(TOKEN_NAME)+1);
+
+		/* Testing a too small buffer by one */
+		size -= 1;
+		buf = gnutls_realloc(buf, size);
+		assert(buf != NULL);
+		ret = gnutls_pkcs11_token_get_info(url,
+			GNUTLS_PKCS11_TOKEN_LABEL,
+			buf, &size);
+		assert(ret == GNUTLS_E_SHORT_MEMORY_BUFFER);
+		assert(size == strlen(TOKEN_NAME)+1);
+
+		/* Testing an exactly fitting buffer */
+		buf = gnutls_realloc(buf, size);
+		assert(buf != NULL);
+		ret = gnutls_pkcs11_token_get_info(url,
+			GNUTLS_PKCS11_TOKEN_LABEL,
+			buf, &size);
+		assert(ret == 0);
+		assert(strcmp(buf, TOKEN_NAME) == 0);
+		assert(size == strlen(TOKEN_NAME));
+
+		gnutls_free(buf);
+	}
+
 	ret = gnutls_pkcs11_token_get_ptr("pkcs11:token=invalid", (void**)&mod, &slot_id, 0);
 	assert(ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
 
diff --git a/tests/seccomp.c b/tests/seccomp.c
index b68fcd7efa..466f7db740 100644
--- a/tests/seccomp.c
+++ b/tests/seccomp.c
@@ -26,6 +26,9 @@
 #include <seccomp.h>
 #include <errno.h>
 #include <string.h>
+#if defined(__linux__)
+#  include <sys/syscall.h>
+#endif
 
 int disable_system_calls(void)
 {
@@ -70,7 +73,9 @@ int disable_system_calls(void)
 
 	/* to read from /dev/urandom */
 	ADD_SYSCALL(read, 0);
+#ifdef SYS_getrandom
 	ADD_SYSCALL(getrandom, 0);
+#endif
 
 	/* we use it in select */
 	ADD_SYSCALL(sigprocmask, 0);
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json b/tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json
index 9bf3fa20f1..a297392255 100644
--- a/tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json
+++ b/tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json
@@ -18,7 +18,7 @@
          },
          {"name" : "test-export-ciphers-rejected.py",
           "comment" : "we negotiate AES even in SSL3.0",
-          "arguments" : ["--ssl3", "-p", "@PORT@"] },
+          "arguments" : ["-p", "@PORT@"] },
          {"name" : "test-client-compatibility.py",
           "arguments" : ["-p", "@PORT@", "18: IE 6 on XP",
                          "52: YandexBot 3.0 on unknown",
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
index 06fbf92351..47fcf878a4 100644
--- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
+++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
@@ -12,6 +12,38 @@
      "server_hostname": "localhost",
      "server_port": @PORT@,
      "tests" : [
+         {"name" : "test-record-size-limit.py",
+          "comment" : "changed extension after HRR is not supported #617",
+          "arguments" : ["-p", "@PORT@", "--reply-AD-size", "685",
+                         "--minimal-size", "512",
+                         "-e", "change size in TLS 1.2 resumption",
+                         "-e", "change size in TLS 1.3 session resumption",
+                         "-e", "check if server accepts maximum size in TLS 1.0",
+                         "-e", "check if server accepts maximum size in TLS 1.1",
+                         "-e", "check if server accepts maximum size in TLS 1.2",
+                         "-e", "check if server accepts minimal size in TLS 1.0",
+                         "-e", "check if server accepts minimal size in TLS 1.1",
+                         "-e", "check if server accepts minimal size in TLS 1.2",
+                         "-e", "check interaction with sha256 prf",
+                         "-e", "check interaction with sha384 prf",
+                         "-e", "check server sent size in TLS 1.0",
+                         "-e", "check server sent size in TLS 1.1",
+                         "-e", "check server sent size in TLS 1.2",
+                         "-e", "drop extension in TLS 1.2 resumption",
+                         "-e", "drop extension in TLS 1.3 session resumption",
+                         "-e", "modified extension in 2nd CH in HRR handshake",
+                         "-e", "renegotiation with changed limit",
+                         "-e", "renegotiation with dropped extension",
+                         "-e", "added extension in 2nd CH in HRR handshake",
+                         "-e", "check server sent size in TLS 1.0 with max_fragment_length",
+                         "-e", "check server sent size in TLS 1.1 with max_fragment_length",
+                         "-e", "check server sent size in TLS 1.2 with max_fragment_length",
+                         "-e", "removed extension in 2nd CH in HRR handshake"] },
+         {"name" : "test-record-size-limit.py",
+          "arguments" : ["-p", "@PORT@", "--reply-AD-size", "672",
+                         "--minimal-size", "512",
+                         "change size in TLS 1.3 session resumption",
+                         "drop extension in TLS 1.3 session resumption"] },
 	 {"name" : "test-tls13-0rtt-garbage.py",
 	  "arguments": ["-p", "@PORT@"]},
 	 {"name" : "test-tls13-ccs.py",
@@ -81,7 +113,11 @@
 	 {"name" : "test-tls13-version-negotiation.py",
 	  "arguments": ["-p", "@PORT@"]},
 	 {"name" : "test-tls13-zero-length-data.py",
-	  "arguments": ["-p", "@PORT@"]}
+	  "arguments": ["-p", "@PORT@"]},
+	 {"name" : "test-downgrade-protection.py",
+	  "comment" : "1/n-1 splitting in TLS 1.0 is not supported",
+	  "arguments": ["-p", "@PORT@", "--server-max-protocol", "TLSv1.3",
+			"-e", "TLS 1.3 downgrade check for Protocol (3, 1)"]}
      ]
     }
 ]
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json
index 04376f40ea..e25b6b3613 100644
--- a/tests/suite/tls-fuzzer/gnutls-nocert.json
+++ b/tests/suite/tls-fuzzer/gnutls-nocert.json
@@ -231,27 +231,38 @@
                          "-e", "small, maximum fragmentation: 1 fragment - 20B extension",
                          "-e", "medium, maximum fragmentation: 1 fragment - 1024B extension"]},
          {"name" : "test-record-size-limit.py",
-	  "comment" : "These tests rely on too small lower limit we don't support; TLS 1.3 high limit is not what we expect; 1/n-1 splitting is not supported in TLS 1.0; we don't reject too large appliation_data records in TLS 1.2 #676",
-          "arguments" : ["-p", "@PORT@", "--reply-AD-size", "{expected_size}",
-                         "-e", "change size in TLS 1.2 resumption",
-                         "-e", "change size in TLS 1.3 session resumption",
+	  "comment" : "TLS 1.3 tests are done separately; 1/n-1 splitting is not supported in TLS 1.0",
+          "arguments" : ["-p", "@PORT@", "--reply-AD-size", "821",
+                         "--minimal-size", "512",
                          "-e", "check if server accepts maximum size in TLS 1.0",
                          "-e", "check if server accepts maximum size in TLS 1.3",
                          "-e", "check if server accepts minimal size in TLS 1.0",
-                         "-e", "check if server accepts minimal size in TLS 1.1",
-                         "-e", "check if server accepts minimal size in TLS 1.2",
                          "-e", "check if server accepts minimal size in TLS 1.3",
+                         "-e", "check if server omits extension for unrecognized size 64 in TLS 1.3",
+                         "-e", "check if server omits extension for unrecognized size 511 in TLS 1.3",
                          "-e", "check interaction with sha256 prf",
                          "-e", "check interaction with sha384 prf",
                          "-e", "check server sent size in TLS 1.0",
                          "-e", "check server sent size in TLS 1.3",
-                         "-e", "drop extension in TLS 1.3 session resumption",
                          "-e", "HRR sanity",
+                         "-e", "too large record payload in TLS 1.3",
+                         "-e", "change size in TLS 1.3 session resumption",
+                         "-e", "drop extension in TLS 1.3 session resumption",
                          "-e", "modified extension in 2nd CH in HRR handshake",
-                         "-e", "renegotiation with changed limit",
-                         "-e", "renegotiation with dropped extension",
-                         "-e", "too large record in TLS 1.2",
-                         "-e", "too large record payload in TLS 1.3"] },
+                         "-e", "added extension in 2nd CH in HRR handshake",
+                         "-e", "check server sent size in TLS 1.0 with max_fragment_length",
+                         "-e", "check server sent size in TLS 1.3 with max_fragment_length",
+                         "-e", "removed extension in 2nd CH in HRR handshake"] },
+         {"name" : "test-record-size-limit.py",
+          "comment" : "The reply includes PRF algorithm and affects the AD size",
+          "arguments" : ["-p", "@PORT@", "--reply-AD-size", "827",
+                         "--minimal-size", "512",
+                         "check interaction with sha256 prf"] },
+         {"name" : "test-record-size-limit.py",
+          "comment" : "The reply includes PRF algorithm and affects the AD size",
+          "arguments" : ["-p", "@PORT@", "--reply-AD-size", "816",
+                         "--minimal-size", "512",
+                         "check interaction with sha384 prf"] },
          {"name" : "test-sessionID-resumption.py",
           "arguments" : ["-p", "@PORT@"] },
          {"name" : "test-serverhello-random.py",
diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer
-Subproject 7b2ebe4c8bd06e5a1059a8aeb5bfe2b014e2b52
+Subproject 13479e5a44bc10e3577fc28b921c5b999a363ce
diff --git a/tests/test-chains.h b/tests/test-chains.h
index 09a386c821..095ccbabd2 100644
--- a/tests/test-chains.h
+++ b/tests/test-chains.h
@@ -154,71 +154,76 @@ static const char *chain_with_no_subject_id_in_ca_ok[] = {
 	"-----END CERTIFICATE-----\n"
 };
 
+/* This chain was generated by a modified gnutls lib. The script tests/suite/certs/create-chain.sh
+ * was used after modifying it to generate RSA-PSS certificates and set 64 byte salt in intermediate
+ * CA, and 48-byte otherwise. Then _gnutls_x509_write_sign_params() was modified to set a 32-byte salt
+ * when it would have set a 64-byte one. That way signatures from the intermediate certificate restricted
+ * to 64-byte salts will be incorrectly set to 32-bytes. */
 static const char *rsa_pss_chain_smaller_salt_in_sig_fail[] = {
 	"-----BEGIN CERTIFICATE-----\n"
-	"MIIDfzCCAjegAwIBAgIMWXnRYyUPHcgwMUF2MD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n"
-	"YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgMA8xDTAL\n"
-	"BgNVBAMTBENBLTEwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMBMx\n"
-	"ETAPBgNVBAMTCHNlcnZlci0yMIIBIDALBgkqhkiG9w0BAQoDggEPADCCAQoCggEB\n"
-	"ALPUjrvjgPh9hv3gYDxu/Un28TzS3os+O1eAbVGuTeO0BX3u5D2ZtaVeB7gLwSku\n"
-	"YkDKLrXs+M5BsvpZOfKIyQjrLuc5U5ik8W7SsSH5MVliergMTz4Qi+DtXdsrIjpk\n"
-	"oTDxgUatrpYQSocPfqdMgma3DyW3jlZv4BoLZ95TsJi23qZxZI9fQeGG9DZ+x2h6\n"
-	"3QeW4OTpJB75O6ruas7KiId9RH6WHj/JvLF99RGhPHa7SUZstyvnDA80Igood6S6\n"
-	"J3GNs1RHnaHeOqcyfbdNzlyTaLK0Acos6AKlkm4OYABXRmfDSyjVPto7FTV4I9CV\n"
-	"jSRXOa5IK3kUvFApM6SvzQsCAwEAAaN3MHUwDAYDVR0TAQH/BAIwADAUBgNVHREE\n"
-	"DTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUhAHLtEhd\n"
-	"NxMr6TQX5GB4a29ng4YwHwYDVR0jBBgwFoAU6h4fxmpkIoNy/qx6u4Z13H7WN+Qw\n"
-	"PQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJ\n"
-	"YIZIAWUDBAIBogMCASADggEBAL5SQpMtcGQ4mNZaaW3SNB8EBPo4VZ1GXYsOd0ef\n"
-	"JmhNKKrw5Z2WHR8xDbP7cwq/X+U0M9TMhCWPaDgzt46TJu+ct43UqGt/bgz2Xt2R\n"
-	"xCvlhwGNM3A5c417jmNQiQvMyCiEZSPD7RLowoE34XyjaxydYoWGq9otNoIq0CX9\n"
-	"Q7GZudWfWvwDU3zM8gy6k8EPmOgG8PdvW6PjKyf5y/uSDHY7Dm8d9E/uybAbZUVo\n"
-	"WfdwhhP66EDmNozTNaBcfIkJTmuxq2oxnA8JS1V5hMccfZLIRh0hBkpdGXSAOMNV\n"
-	"qjqJUOWrbU5hbcZUk2UHK34rNvkX+rDmuKD2vAQ7MguzHfI=\n"
+	"MIIDiTCCAkGgAwIBAgIUMquMu6/Azo9N40rNZ1z7hkotqC0wPQYJKoZIhvcNAQEK\n"
+	"MDCgDTALBglghkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogMC\n"
+	"ASAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n"
+	"NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+	"DwAwggEKAoIBAQDrEJ5ONj7OYNjDZ3johFKItvX6BFJ7ejLfNELvT7I9hsiGJBr5\n"
+	"Q/NgeQolSXLKHYG0L5Lxu1fbHINzC43NEivY3KMKKl0+MdXWwAr0yW/cTeuDc/+e\n"
+	"YqGT3TpCcxa/0dJ+Y3zAS1DqsHjNOxyYBvyKATyvFKo+oAwOqtR/OLflUvoXvYZV\n"
+	"YByseOLhE70Vfuk8yppRcKwokwk/3S6dZjoxK1K3PBQGARJNaUChtx5iM1qMrluK\n"
+	"uDj7yV9DYhtyhSmYvcZ1gb3t0aAxGoGbfdOHa7XMovzfRDUPbwvkKUJqcNfGkeGn\n"
+	"pZRzbA8D/YrjFtm7QVgf6yD20DbZChzoxRWzAgMBAAGjdzB1MAwGA1UdEwEB/wQC\n"
+	"MAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0O\n"
+	"BBYEFM/CHpfVzdNRBMYfqBXUieW9m9oFMB8GA1UdIwQYMBaAFDBBFsyy+oqRFlRx\n"
+	"MH5qlHt7guXUMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAICoRowGAYJKoZI\n"
+	"hvcNAQEIMAsGCWCGSAFlAwQCAqIDAgEgA4IBAQADuShUlCXrs5K6Yu7mKvoyZztJ\n"
+	"dQFuxv4WDvbhoZ19GEEg6icRUoaA3tWKf7tNRnqQklMLhWIZParXtt+xz7q5K6ic\n"
+	"kX5oGzzUNryAx5DJkZCCffdA1FaQjCEI6Cy5cEnGifXyacwA7BViUwMnWvJRSKYi\n"
+	"gvBVKc1TBwA+vPIzlSb3COo1zhshxM+C7mhzspDFkceXV7qapFDMj7M/GbgqH7h0\n"
+	"yuJv2bymytjXadR43LuG6yqqsFvIPHYBcyPq3Uzu+57UJbHhAlkTXaAXfZkc1Ut7\n"
+	"Xz8pOEzcxZHl4SEgsO6KeT2uQUE1Zx5AgwaNfuMmg0aFJep8vKcQ1jvdzxS2\n"
 	"-----END CERTIFICATE-----\n",
 	"-----BEGIN CERTIFICATE-----\n"
-	"MIIDmjCCAlKgAwIBAgIMWXnRYyHbNWzuFxmzMD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n"
-	"YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL\n"
-	"BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x\n"
-	"DTALBgNVBAMTBENBLTEwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB\n"
-	"oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDB\n"
-	"uQ2UwKWT1BfN6H2B3svKL34aPW/+MTfN8McvExZsZYuQyRxeG8SV4uJ+GAtJ/Ml/\n"
-	"eaUqiKG0pNCna846FUtAax/0quuVSaZ2xOVA3lMKj2frtRLJ3W6ZaglCHkZUHhII\n"
-	"JEtE1s0F8aaaZ6X4/57OAi6uyFNuBSBsp3giQS6SrtFMbhq7OuSSt2T14XlVGvAI\n"
-	"TiO7t21+Eukq2jDGOerUax4Yxki4l8589uXu5IQzZalj42hr9YKbNb75RAICNnY8\n"
-	"jxCezc0o8KNoDF0IAK7UERz6uUQElUh/bdm0k3UV+uVA6t0disZ4gdenPuLsGSVD\n"
-	"9fcbh/zFlv2V3A9HLJB3AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P\n"
-	"AQH/BAUDAwcEADAdBgNVHQ4EFgQU6h4fxmpkIoNy/qx6u4Z13H7WN+QwHwYDVR0j\n"
-	"BBgwFoAUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
-	"hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAFGH\n"
-	"zxWW8R95wmmuDecuKf31LEKPubtaeqMRqt2Vk2mGCQOxcerl6MMGyl3w46hEkAjU\n"
-	"jAPwmNnB9xyEyqR5w2TYrpzsrnUcZn+6HzSiPTEJ0jhY2S8N2V+Bch1QgMwlgeaD\n"
-	"bZrY6qAG6PeqoQ8XhZ8+1sI/IpQKJHmmBN+qYbLFxEPjE4QnBahPbKfbpMY0MMX0\n"
-	"uuI2nSBKcYmkYiWBYdydpP24VfeoUP0V6bXc5rrDdCNGp+AxUID51GT0AoMf2FGK\n"
-	"LeOLJtPqH7raz44pa1qezHq4gPeXC0Ende9j7IimpsdB6eDVle8UZipfeASq9XVL\n"
-	"F430KTcS7x42r71NZUU=\n"
+	"MIIDojCCAlqgAwIBAgIUYIZPL5Kf86B0XYSKAdI8dv4HJY8wPQYJKoZIhvcNAQEK\n"
+	"MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+	"ATAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n"
+	"NTk1OVowDzENMAsGA1UEAxMEQ0EtMTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
+	"hkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogMCAUADggEPADCC\n"
+	"AQoCggEBANCQ6fUJYYI3OTDYIcyshBdnVBQq0uGjHg/04niCpoAZi/nlfP3tCRZS\n"
+	"k44kMt6hla9cEkdj5mzeGFlG5AYG9C5MimyYwTJ5Sho6t8ct4wPESeypuDbcvMRX\n"
+	"MTLM/9+ZECkDgKA238z4sNX0T0ppsCXy8IK0Jmn7bky6lqNmaMTjYWy7Tu4kQOMX\n"
+	"7RE4tv/WlaH95d7zHYuaAf5dNY5GJ/cGrkYLrL1KpN/UU/4KKxvWs3EbsnDvrTcs\n"
+	"mzLrTOIaedrrNXY6FsGE3+XKDCo+Z80LsrySpCozAECrEFCENMfS3ptOwI+Vblb1\n"
+	"Kar8+4+7uMxbGY/RJ/gGIKGYibkpzicCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n"
+	"/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQwQRbMsvqKkRZUcTB+apR7e4Ll\n"
+	"1DAfBgNVHSMEGDAWgBR1lWzS3rLSrmdPPgma8JL4j1PJgzA9BgkqhkiG9w0BAQow\n"
+	"MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n"
+	"MAOCAQEAnYZf5bo7ZtysyLO/3QjAM+o1IWXinH97XANEbs5oZOK/rQNLBIpOLaYp\n"
+	"YcnziJTEIqvy+7/KNwdjLcKZ4f5PBlDHBsr70XeJmMc+9/ZadY14BHZUEWNfBPx5\n"
+	"dZR55/g62CdermdCJEoY6XdIMqdTHrdwmBIS/7g/dciQt0+lrjanX14VLAVRUAIu\n"
+	"HMn5C4ZGeBDd8av3P+VIqdkFfpAYlZ5BsYqshel4pnAyhpUO5wTmY7cm78fqctyX\n"
+	"qmQ0PRLQXmlqrL2oJtlGcSWlT0u1bS0gJPpvszataCZhnX/O9x6yzzgeUpP4I/AR\n"
+	"KS4ZXRehFmQH4xS1eq5fmWiTzbvWHA==\n"
 	"-----END CERTIFICATE-----\n",
 	NULL,
 	"-----BEGIN CERTIFICATE-----\n"
-	"MIIDeTCCAjGgAwIBAgIMWXnRYxvG34hjjASYMD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n"
-	"YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL\n"
-	"BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x\n"
-	"DTALBgNVBAMTBENBLTAwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB\n"
-	"oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAA4IBDwAwggEKAoIBAQCw\n"
-	"/vJ8ccKv5ptzLvQjduQJ67JMAsizWhdkOlEy1idzXo/qjtEw6eqUJdcraF5Nzhon\n"
-	"HnXtioIvV2C3cYtauKO2rCKjlChiK59YaaeIbl521sSLRpFYhYIKkjOLHJePxHny\n"
-	"FTQEuF8b8CvrM8GsxIVZ9U+DRnxJdzhUiqxadnPpiXG/IrQRBjm/Abb8s/CG+Ny6\n"
-	"sEJBt9gDYfIfgDfbzeLu5zaPibi4N/+fYfToA7I8LXn7/AmsWAIjrY9rSOxdKJKw\n"
-	"H5C0Yd7myhtJY0EeHDl3Y3L+lwO/JkqxhRzIiZnIbxFcgeb9lZjeU94z/oi3mI7H\n"
-	"xzOk+D7IGgCkEBhfY53RAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P\n"
-	"AQH/BAUDAwcGADAdBgNVHQ4EFgQUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZI\n"
-	"hvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUD\n"
-	"BAIBogMCAUADggEBAH3ilegUORDk8WQ7sQWFsM1L3nnfGLlHAcac+P6vLnMCkkiD\n"
-	"bpzqKEfAvEnRnZhU9vMLJkv2vUNzqIaLalPveZx98yYAxDkjGbF3PU9Eesd+JYWd\n"
-	"aJQIqpFxMDgnAXhpny6JFnMS4PWqu8NDLukEXCeeC+asweChP4TubHTJYXVRlCPL\n"
-	"Xla2fDgaG3ZKAgoUo18Hmc+Ju/17jQxgVa+SUQW9AJL+87pUoaGP1lzwrRuZl4rr\n"
-	"kmuKVjoKukJ9BYIlz6RZ/8kZZtoCd7e84DJ+zEAd0/s9w5K6lzS0gpFDi/Yo23sr\n"
-	"6L6PwffJ42OdtgXobk6AlzKU5r3iQFdu4juNNQ0=\n"
+	"MIIDgTCCAjmgAwIBAgIUUVxp7I/ecuDCjWdn2Rng+TBNidUwPQYJKoZIhvcNAQEK\n"
+	"MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+	"ATAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n"
+	"NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
+	"hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCATADggEPADCC\n"
+	"AQoCggEBAMcPAwX89KK6Nz39xdQRbSy9Ax7XzKAqtmmIczRVTKqsdQh4bm/gDuD6\n"
+	"Edxjl02cISBLczWV13brINSBI+QX/eLPyBmGGzI4ryyJuP+1qc0NMjDAlfYw+kXF\n"
+	"NZz02W6svxvrrt26mKJ1F+K/bZE+s9XHN0DW+hifQBBr8HX3BWJ9g6yj6YPd55pm\n"
+	"kQQcVgRG3BG1EMkJGK4LNesGdJGTHy+uqgtcykrMjh25uhr0oTOG6UjVYjXalZ5o\n"
+	"rOqo6CV+uGPmJYW2pBOlAOmblMMXSHXhIAhRBY8+h01BCsCU5wlEfPIsvclP2gSG\n"
+	"RVbM/9XgS/+4yN0fD+oXgi5Jh6TCYz8CAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB\n"
+	"/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBR1lWzS3rLSrmdPPgma8JL4j1PJ\n"
+	"gzA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL\n"
+	"BglghkgBZQMEAgGiAwIBMAOCAQEAqudvb92hfo7iAS63u902onL2XwhfS9IZtu3D\n"
+	"Lum78Q8nzhWf+YSls4/o8ln/Erv8LfrrhxoPEVpxQTPCbj/mmHez3hh+xrb0ZUVQ\n"
+	"pi5gE6kkkzzvL1VEMce85RLbm4AyVDl4onU2gaFXTxpMpKwBTZoKRbLcG2TsQgyW\n"
+	"Kgq+XnyT/1AC2vp4Ou8G1MIh5bkfetTeo2KJ3lmEVGoUh0k0diayDwaBgBDeX7hl\n"
+	"XvKrG/hhhWPVWNDXdQsiYYKVty76yM3vJiK9No1+jPZzNTv+pZaRqJiQ/ZaCICvC\n"
+	"uK/63Yrle+W/W1Jdj23/kSSL94ugw7PFwbqo2gPkECbG2Mk8pw==\n"
 	"-----END CERTIFICATE-----\n"
 };
 
@@ -4120,7 +4125,7 @@ static struct
   { "rsa pss: invalid self sig - fail", rsa_pss_invalid_self_sig, &rsa_pss_invalid_self_sig[0], GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253},
   { "rsa pss: invalid chain with pkcs#1 1.5 sig - fail", rsa_pss_invalid_chain_with_pkcs1_sig, &rsa_pss_invalid_chain_with_pkcs1_sig[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253},
   { "rsa pss: invalid chain with wrong hash (sha384-sha256) - fail", rsa_pss_invalid_chain_with_wrong_hash, &rsa_pss_invalid_chain_with_wrong_hash[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253},
-  { "rsa pss: smaller salt in sig than spki - fail", rsa_pss_chain_smaller_salt_in_sig_fail, &rsa_pss_chain_smaller_salt_in_sig_fail[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501159136},
+  { "rsa pss: smaller salt in sig than spki - fail", rsa_pss_chain_smaller_salt_in_sig_fail, &rsa_pss_chain_smaller_salt_in_sig_fail[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1550005473},
   { "rsa pss: chain with sha1 hash - fail", rsa_pss_chain_with_sha1_fail, &rsa_pss_chain_with_sha1_fail[3], 0, GNUTLS_CERT_INVALID, 0, 1501159136},
   { "rsa pss: chain with different mgf hash - fail", rsa_pss_chain_with_diff_mgf_oid_fail, &rsa_pss_chain_with_diff_mgf_oid_fail[3], 0, GNUTLS_CERT_INVALID, 0, 1501159136},
   { "rsa pss: chain with sha256 - ok", rsa_pss_chain_sha256_ok, &rsa_pss_chain_sha256_ok[3], 0, 0, 0, 1501138253},
diff --git a/tests/tls-record-size-limit.c b/tests/tls-record-size-limit.c
index 8c9729719f..8346ee56d9 100644
--- a/tests/tls-record-size-limit.c
+++ b/tests/tls-record-size-limit.c
@@ -52,9 +52,10 @@
 
 #define HANDSHAKE_SESSION_ID_POS 34
 
-static size_t max_record_size;
+static size_t server_max_send_size;
+static size_t client_max_send_size;
 
-#define SERVER_PUSH_ADD if (len > max_record_size + 5+32) fail("max record set to %d, len: %d\n", (int)max_record_size, (int)len);
+#define SERVER_PUSH_ADD if (len > server_max_send_size + 5+32) fail("max record set to %d, len: %d\n", (int)server_max_send_size, (int)len);
 #include "eagain-common.h"
 
 #include "cert-common.h"
@@ -136,22 +137,23 @@ static int handshake_callback(gnutls_session_t session, unsigned int htype,
 #define MAX_BUF 16384
 static char buffer[MAX_BUF];
 
-struct test_ext_st {
+struct test_exp_st {
+	int error;
+	size_t size;
 	bool max_record_size;
 	bool record_size_limit;
 };
 
 struct test_st {
 	const char *prio;
-	size_t max_size;
+	size_t server_max_size;
+	size_t client_max_size;
 
-	int expect_error;
-	size_t expect_size;
-	struct test_ext_st expect_server_ext;
-	struct test_ext_st expect_client_ext;
+	struct test_exp_st server_exp;
+	struct test_exp_st client_exp;
 };
 
-static void check_exts(const struct test_ext_st *exp,
+static void check_exts(const struct test_exp_st *exp,
 		       struct handshake_cb_data_st *data)
 {
 	if (exp->max_record_size && !data->found_max_record_size)
@@ -198,6 +200,15 @@ static void start(const struct test_st *test)
 				serverx509cred);
 
 	gnutls_priority_set_direct(server, test->prio, NULL);
+
+	ret = gnutls_record_set_max_size(server, test->server_max_size);
+	if (ret != test->server_exp.error)
+		fail("server: unexpected error from gnutls_record_set_max_size()");
+	if (ret == 0)
+		server_max_send_size = test->server_max_size;
+	else
+		server_max_send_size = MAX_BUF;
+
 	gnutls_transport_set_push_function(server, server_push);
 	gnutls_transport_set_pull_function(server, server_pull);
 	gnutls_transport_set_pull_timeout_function(server,
@@ -233,13 +244,13 @@ static void start(const struct test_st *test)
 	if (ret < 0)
 		exit(1);
 
-	ret = gnutls_record_set_max_size(client, test->max_size);
-	if (ret != test->expect_error)
-		fail("unexpected error from gnutls_record_set_max_size()");
+	ret = gnutls_record_set_max_size(client, test->client_max_size);
+	if (ret != test->client_exp.error)
+		fail("client: unexpected error from gnutls_record_set_max_size()");
 	if (ret == 0)
-		max_record_size = test->max_size;
+		client_max_send_size = test->client_max_size;
 	else
-		max_record_size = MAX_BUF;
+		client_max_send_size = MAX_BUF;
 
 	gnutls_transport_set_push_function(client, client_push);
 	gnutls_transport_set_pull_function(client, client_pull);
@@ -256,22 +267,39 @@ static void start(const struct test_st *test)
 	HANDSHAKE(client, server);
 
 	memset(buffer, 1, sizeof(buffer));
-	ret = gnutls_record_send(server, buffer, max_record_size + 1);
+	ret = gnutls_record_send(server, buffer, server_max_send_size + 1);
 	if (ret < 0) {
 		gnutls_perror(ret);
 		exit(1);
 	}
-	if (ret != (int)test->expect_size)
-		fail("unexpected record size sent: %d (%d)\n",
-		     ret, (int)test->expect_size);
-	success("did not send a %d-byte packet\n", (int)max_record_size + 1);
+	if (ret != (int)test->server_exp.size)
+		fail("server: unexpected record size sent: %d (%d)\n",
+		     ret, (int)test->server_exp.size);
+	success("server: did not send a %d-byte packet\n", (int)server_max_send_size + 1);
 
-	ret = gnutls_record_send(server, buffer, max_record_size);
+	ret = gnutls_record_send(server, buffer, server_max_send_size);
 	if (ret < 0) {
 		gnutls_perror(ret);
 		exit(1);
 	}
-	success("did send a %d-byte packet\n", (int)max_record_size);
+	success("server: did send a %d-byte packet\n", (int)server_max_send_size);
+
+	ret = gnutls_record_send(client, buffer, client_max_send_size + 1);
+	if (ret < 0) {
+		gnutls_perror(ret);
+		exit(1);
+	}
+	if (ret != (int)test->client_exp.size)
+		fail("client: unexpected record size sent: %d (%d)\n",
+		     ret, (int)test->client_exp.size);
+	success("client: did not send a %d-byte packet\n", (int)client_max_send_size + 1);
+
+	ret = gnutls_record_send(client, buffer, client_max_send_size);
+	if (ret < 0) {
+		gnutls_perror(ret);
+		exit(1);
+	}
+	success("client: did send a %d-byte packet\n", (int)client_max_send_size);
 
 	gnutls_bye(client, GNUTLS_SHUT_RDWR);
 	gnutls_bye(server, GNUTLS_SHUT_RDWR);
@@ -286,79 +314,94 @@ static void start(const struct test_st *test)
 
 	reset_buffers();
 
-	check_exts(&test->expect_server_ext,
+	check_exts(&test->server_exp,
 		   &server_handshake_cb_data);
-	check_exts(&test->expect_client_ext,
+	check_exts(&test->client_exp,
 		   &client_handshake_cb_data);
 }
 
 static const struct test_st tests[] = {
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2",
-		.max_size = 511,
-		.expect_error = GNUTLS_E_INVALID_REQUEST,
-		.expect_size = 16384,
-		.expect_server_ext = {
+		.server_max_size = 511,
+		.client_max_size = 511,
+		.server_exp = {
+			.error = GNUTLS_E_INVALID_REQUEST,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = GNUTLS_E_INVALID_REQUEST,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
 	},
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2",
-		.max_size = 512,
-		.expect_error = 0,
-		.expect_size = 512,
-		.expect_server_ext = {
+		.server_max_size = 512,
+		.client_max_size = 512,
+		.server_exp = {
+			.error = 0,
+			.size = 512,
 			.max_record_size = 1,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = 0,
+			.size = 512,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
 	},
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2",
-		.max_size = 8192,
-		.expect_error = 0,
-		.expect_size = 8192,
-		.expect_server_ext = {
+		.server_max_size = 8192,
+		.client_max_size = 8192,
+		.server_exp = {
+			.error = 0,
+			.size = 8192,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = 0,
+			.size = 8192,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
 	},
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2",
-		.max_size = 16384,
-		.expect_error = 0,
-		.expect_size = 16384,
-		.expect_server_ext = {
+		.server_max_size = 16384,
+		.client_max_size = 16384,
+		.server_exp = {
+			.error = 0,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = 0,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
 	},
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2",
-		.max_size = 16385,
-		.expect_error = GNUTLS_E_INVALID_REQUEST,
-		.expect_size = 16384,
-		.expect_server_ext = {
+		.server_max_size = 16385,
+		.client_max_size = 16385,
+		.server_exp = {
+			.error = GNUTLS_E_INVALID_REQUEST,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = GNUTLS_E_INVALID_REQUEST,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
@@ -366,70 +409,102 @@ static const struct test_st tests[] = {
 
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3",
-		.max_size = 511,
-		.expect_error = GNUTLS_E_INVALID_REQUEST,
-		.expect_size = 16384,
-		.expect_server_ext = {
+		.server_max_size = 511,
+		.client_max_size = 511,
+		.server_exp = {
+			.error = GNUTLS_E_INVALID_REQUEST,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = GNUTLS_E_INVALID_REQUEST,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
-		},
+	},
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3",
-		.max_size = 512,
-		.expect_error = 0,
-		.expect_size = 512,
-		.expect_server_ext = {
+		.server_max_size = 512,
+		.client_max_size = 512,
+		.server_exp = {
+			.error = 0,
+			.size = 512,
 			.max_record_size = 1,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = 0,
+			.size = 512,
+			.max_record_size = 0,
+			.record_size_limit = 1
+		}
+	},
+	{
+		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3",
+		.server_max_size = 8192,
+		.client_max_size = 8192,
+		.server_exp = {
+			.error = 0,
+			.size = 8192,
+			.max_record_size = 0,
+			.record_size_limit = 1
+		},
+		.client_exp = {
+			.error = 0,
+			.size = 8192,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
 	},
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3",
-		.max_size = 8192,
-		.expect_error = 0,
-		.expect_size = 8192,
-		.expect_server_ext = {
+		.server_max_size = 16384,
+		.client_max_size = 16384,
+		.server_exp = {
+			.error = 0,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = 0,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
 	},
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3",
-		.max_size = 16384,
-		.expect_error = 0,
-		.expect_size = 16384,
-		.expect_server_ext = {
+		.server_max_size = 16383,
+		.client_max_size = 16384,
+		.server_exp = {
+			.error = 0,
+			.size = 16383,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = 0,
+			.size = 16383,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
 	},
 	{
 		.prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3",
-		.max_size = 16385,
-		.expect_error = GNUTLS_E_INVALID_REQUEST,
-		.expect_size = 16384,
-		.expect_server_ext = {
+		.server_max_size = 16385,
+		.client_max_size = 16385,
+		.server_exp = {
+			.error = GNUTLS_E_INVALID_REQUEST,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		},
-		.expect_client_ext = {
+		.client_exp = {
+			.error = GNUTLS_E_INVALID_REQUEST,
+			.size = 16384,
 			.max_record_size = 0,
 			.record_size_limit = 1
 		}
diff --git a/tests/tls13/prf.c b/tests/tls13/prf.c
index 75daff59d4..fda8ce6843 100644
--- a/tests/tls13/prf.c
+++ b/tests/tls13/prf.c
@@ -130,10 +130,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size)
 	} \
 	}
 
-#define KEY_EXP_VALUE "\xfb\xcb\x96\x87\x8c\x64\x8b\x60\xef\xdc\x76\xb0\x7c\x3b\xd1\x50\x1e\xb1\x3f\x39\xb2\x20\x74\x2c\xb2\x76\x12\x9f\xfc\xad\xb9\xce\x1d\x9a"
-#define HELLO_VALUE "\x61\x32\x14\x81\x9b\xa0\x43\xcd\x39\xbf\x63\x18\x7c\xb7\xf3\x02\x65\xab\x2c\xa4\xaf\xbc\x1c\x7a\x1d\xa4\xc5\x28\x8f\x45\x68"
-#define CONTEXT_VALUE "\xa7\x3c\xa7\x59\x94\x33\xb4\x97\x90\x92\x8c\xe2\x39\xda\x56\x42\x4a\xeb\xeb\xab\x73\xc4\x20\xf0\x34\x4f\xda\xf8\x17\xf5\xbd"
-#define NULL_CONTEXT_VALUE "\x66\xa1\x0a\xcb\xfa\x28\x85\x79\xa3\x30\xeb\xc5\xd5\x50\x62\xdd\xb4\x9c\xa7\x0b\x0b\xe0\x28\x03\x18\xfb\x32\x3d\x37\xf2\xe5"
+#define KEY_EXP_VALUE "\xec\x26\x9e\x8c\x5f\xff\x5c\xb2\x60\x4f\x82\xe7\x6b\xb9\x70\x40\xb9\x2d\x2f\xe7\x41\xa8\xe7\xfa\x03\x7c\xe8\x6d\xfa\xda\xc2\xa9\x3f\x58"
+#define HELLO_VALUE "\xd4\x74\x4a\x09\x28\x0a\x99\xb9\xa4\x5b\x51\x5b\x80\xe7\x50\x1c\x16\xca\x57\x78\xf0\xe5\xa1\x94\x6b\x20\x2b\x14\xff\x2b\x53"
+#define CONTEXT_VALUE "\x8d\xde\xea\x58\xab\x90\xaf\x6c\x5c\x7a\x69\xbf\x8a\xd2\x16\xb4\x0f\x75\xb8\x63\xdb\x86\xe7\x66\x04\x59\xac\x57\xe0\x03\x37"
+#define NULL_CONTEXT_VALUE "\x6c\x1a\x10\x1f\xa9\x5a\xfd\xcd\xf4\xcf\x27\x09\x00\xa8\xca\x8e\x8a\x56\xfb\x80\xf0\x0d\xb3\xa6\xe9\x4a\x5f\xe0\x0c\x31\xd9"
 static void check_prfs(gnutls_session_t session)
 {
 	unsigned char key_material[512];
diff --git a/tests/tls13/rnd-check-rollback-val.c b/tests/tls13/rnd-check-rollback-val.c
index f573596c5e..6b7adafcb5 100644
--- a/tests/tls13/rnd-check-rollback-val.c
+++ b/tests/tls13/rnd-check-rollback-val.c
@@ -89,6 +89,8 @@ static void client(int fd)
 	gnutls_certificate_credentials_t x509_cred;
 	gnutls_session_t session;
 	gnutls_datum_t srandom;
+	unsigned try = 0;
+	gnutls_datum_t session_data = { NULL, 0 };
 
 	global_init();
 
@@ -102,6 +104,7 @@ static void client(int fd)
 					    &cli_ca3_key,
 					    GNUTLS_X509_FMT_PEM);
 
+ retry:
 	/* Initialize TLS session
 	 */
 	gnutls_init(&session, GNUTLS_CLIENT);
@@ -112,6 +115,9 @@ static void client(int fd)
 	if (ret < 0)
 		fail("cannot set TLS priorities\n");
 
+	if (try > 0)
+		gnutls_session_set_data(session, session_data.data, session_data.size);
+
 	/* put the anonymous credentials to the current session
 	 */
 	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
@@ -129,6 +135,9 @@ static void client(int fd)
 		fail("error in handshake: %s\n", gnutls_strerror(ret));
 	}
 
+	if (try > 0)
+		assert(gnutls_session_is_resumed(session));
+
 	gnutls_session_get_random(session, NULL, &srandom);
 
 	if (srandom.size != 32)
@@ -147,10 +156,28 @@ static void client(int fd)
 		fail("unexpected random data for %s\n", name);
 	}
 
-	close(fd);
+	do {
+		ret = gnutls_record_send(session, "\x00", 1);
+	} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+	if (try == 0) {
+		ret = gnutls_session_get_data2(session, &session_data);
+		if (ret < 0)
+			fail("couldn't retrieve session data: %s\n",
+			     gnutls_strerror(ret));
+	}
 
 	gnutls_deinit(session);
 
+	if (try == 0) {
+		try++;
+		goto retry;
+	}
+
+	close(fd);
+
+	gnutls_free(session_data.data);
+
 	gnutls_certificate_free_credentials(x509_cred);
 
 	gnutls_global_deinit();
@@ -162,6 +189,9 @@ static void server(int fd)
 	int ret;
 	gnutls_session_t session;
 	gnutls_certificate_credentials_t x509_cred;
+	gnutls_datum_t skey;
+	unsigned try = 0;
+	unsigned char buf[16];
 
 	/* this must be called once in the program
 	 */
@@ -177,6 +207,9 @@ static void server(int fd)
 					    &server_key,
 					    GNUTLS_X509_FMT_PEM);
 
+	assert(gnutls_session_ticket_key_generate(&skey) >= 0);
+
+ retry:
 	gnutls_init(&session, GNUTLS_SERVER);
 
 	gnutls_handshake_set_timeout(session, 20 * 1000);
@@ -185,6 +218,8 @@ static void server(int fd)
 
 	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
 
+	assert(gnutls_session_ticket_enable_server(session, &skey) >= 0);
+
 	gnutls_transport_set_int(session, fd);
 
 	do {
@@ -197,9 +232,26 @@ static void server(int fd)
 	if (ret < 0)
 		fail("error in handshake: %s\n", gnutls_strerror(ret));
 
-	close(fd);
+	if (try > 0)
+		assert(gnutls_session_is_resumed(session));
+
+	do {
+		ret = gnutls_record_recv(session, buf, sizeof(buf));
+	} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+	if (ret < 0)
+		fail("server: recv did not succeed as expected: %s\n", gnutls_strerror(ret));
+
 	gnutls_deinit(session);
 
+	if (try == 0) {
+		try++;
+		goto retry;
+	}
+
+	close(fd);
+
+	gnutls_free(skey.data);
 	gnutls_certificate_free_credentials(x509_cred);
 
 	gnutls_global_deinit();