commit 494e4943b539c070374d97af6328bdd251133bbc
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Mar 11 13:45:27 2025 +0100
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed Mar 12 10:55:10 2025 +0100
tree 04806caed741e30ee86b9143bd2d599d2cae22fe
parent 1933932e553b53a8844da0a93c1052de5f0d227b

Move the defragmentation documentation to mbedtls_ssl_handshake

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index e34e3af..26b1fd4 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -4449,23 +4449,9 @@
  *                 with \c mbedtls_ssl_read()), not handshake messages.
  *                 With DTLS, this affects both ApplicationData and handshake.
  *
- * \note           Defragmentation of incoming handshake messages in TLS
- *                 (excluding DTLS) is supported with some limitations:
- *                 - On an Mbed TLS server that only accepts TLS 1.2,
- *                   the initial ClientHello message must not be fragmented.
- *                   A TLS 1.2 ClientHello may be fragmented if the server
- *                   also accepts TLS 1.3 connections (meaning
- *                   that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the
- *                   accepted versions have not been restricted with
- *                   mbedtls_ssl_conf_max_tls_version() or the like).
- *                 - A ClientHello message that initiates a renegotiation
- *                   must not be fragmented.
- *                 - The first fragment of a handshake message must be
- *                   at least 4 bytes long.
- *                 - Non-handshake records must not be interleaved between
- *                   the fragments of a handshake message. (This is permitted
- *                   in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it
- *                   even in TLS 1.2.)
+ * \note           Defragmentation of TLS handshake messages is supported
+ *                 with some limitations. See the documentation of
+ *                 mbedtls_ssl_handshake() for details.
  *
  * \note           This sets the maximum length for a record's payload,
  *                 excluding record overhead that will be added to it, see
@@ -4997,6 +4983,24 @@
  *                 if a negotiation involving TLS 1.3 takes place (this may
  *                 be the case even if TLS 1.3 is offered but eventually
  *                 not selected).
+ *
+ * \note           Defragmentation of incoming handshake messages in TLS
+ *                 (excluding DTLS) is supported with some limitations:
+ *                 - On an Mbed TLS server that only accepts TLS 1.2,
+ *                   the initial ClientHello message must not be fragmented.
+ *                   A TLS 1.2 ClientHello may be fragmented if the server
+ *                   also accepts TLS 1.3 connections (meaning
+ *                   that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the
+ *                   accepted versions have not been restricted with
+ *                   mbedtls_ssl_conf_max_tls_version() or the like).
+ *                 - A ClientHello message that initiates a renegotiation
+ *                   must not be fragmented.
+ *                 - The first fragment of a handshake message must be
+ *                   at least 4 bytes long.
+ *                 - Non-handshake records must not be interleaved between
+ *                   the fragments of a handshake message. (This is permitted
+ *                   in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it
+ *                   even in TLS 1.2.)
  */
 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl);